A new ruling in the Planet49 case by the EU Court of Justice (CJEU) states that internet users must actively give their consent to the storage of cookies and similar technologies. This puts an end to the use of opt-out and soft opt-in mechanisms for cookies under the GDPR and ePrivacy Directive.
Reading time: 2 min
5 requirements for a valid cookie consent (according to CJEU)
- Active behaviour with intention to provide consent is required (claiming in notices that continuing browsing or scrolling is enough is not lawful)
- Confirmation boxes can not be pre-ticked (pre-ticked boxes are not a valid form of consent)
- Purposes must not be bundled together
- Information about the expiration date of cookies must be disclosed
- Information about any third parties that may have access to those cookies must be disclosed.
The requirements apply to cookies whether or not personal data is accessed.
On 1 October 2019, the Court of Justice of the European Union published its judgement in the Planet49 case regarding how to consent to cookies and similar technologies online. The case was referred by a German court and concerned an online lottery.
Planet49 had organised a promotional lottery where an internet user had to click or unclick two checkboxes before participating. One of the checkboxes required the user to accept being contacted by a range of firms for promotional offers. The second checkbox required the user to consent to cookies being installed on its computer and contained a preselected checkbox. Participation in the lottery was possible only if at least the first checkbox was ticked.
In need of GDPR-support from a law firm?
Get support to prepare you and your business for an audit from the DPA.
Read more about the business law firm Sharp Cookie Advisors
The requirement of an active cookie consent
The court said that the requirement of an ‘indication’ of the data subject’s wishes clearly points to active, rather than passive, behaviour. A preselected tick in a checkbox does not imply active behaviour. An assumed or implied consent does not fulfil the requirement of a consent to be ‘unambiguous’.
The court stated ‘Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement’ (paragraph 54 in the judgement).
It was not possible to objectively determine whether a website user had actually given consent by not opting-out, nor whether that consent had been informed. Thus, a user must actively give consent to the lawful instalment of cookies. These requirements apply to the processing and storage of all information, not just individuals’ personal data.
Information to the internet user
The court also discussed what information a site owner must provide in terms of tracking cookies. CJEU established that a user must be able to easily see the consequences of any consent he or she might give and ensure that the consent given is well informed. Therefore, the information should include details about the duration of the operation of the cookies and whether or not third parties may have access to those cookies.