Cookie consent must be an active choice (5 requirements from CJEU)

Cookie consent
Cookie consent must be active the ECJ states in new ruling Planet49. Photo by Austin Distel.

A new ruling in the Planet49 case by the EU Court of Justice (CJEU) states that internet users must actively give their consent to the storage of cookies and similar technologies. This puts an end to the use of opt-out and soft opt-in mechanisms for cookies under the GDPR and ePrivacy Directive.

Reading time: 2 min

5 requirements for a valid cookie consent (according to CJEU)

  1. Active behaviour with intention to provide consent is required (claiming in notices that continuing browsing or scrolling is enough is not lawful)
  2. Confirmation boxes can not be pre-ticked (pre-ticked boxes are not a valid form of consent)
  3. Purposes must not be bundled together
  4. Information about the expiration date of cookies must be disclosed
  5. Information about any third parties that may have access to those cookies must be disclosed.

The requirements apply to cookies whether or not personal data is accessed.


On 1 October 2019, the Court of Justice of the European Union published its judgement in the Planet49 case regarding how to consent to cookies and similar technologies online. The case was referred by a German court and concerned an online lottery.

Planet49 had organised a promotional lottery where an internet user had to click or unclick two checkboxes before participating. One of the checkboxes required the user to accept being contacted by a range of firms for promotional offers. The second checkbox required the user to consent to cookies being installed on its computer and contained a preselected checkbox. Participation in the lottery was possible only if at least the first checkbox was ticked.


Looking for a practical guide to the DPO role?

The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.

Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)

The requirement of an active cookie consent

The court said that the requirement of an ‘indication’ of the data subject’s wishes clearly points to active, rather than passive, behaviour. A preselected tick in a checkbox does not imply active behaviour. An assumed or implied consent does not fulfil the requirement of a consent to be ‘unambiguous’.

The court stated ‘Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement’ (paragraph 54 in the judgement).

It was not possible to objectively determine whether a website user had actually given consent by not opting-out, nor whether that consent had been informed. Thus, a user must actively give consent to the lawful instalment of cookies. These requirements apply to the processing and storage of all information, not just individuals’ personal data.

Information to the internet user

The court also discussed what information a site owner must provide in terms of tracking cookies. CJEU established that a user must be able to easily see the consequences of any consent he or she might give and ensure that the consent given is well informed. Therefore, the information should include details about the duration of the operation of the cookies and whether or not third parties may have access to those cookies.

It is recommended that website owners revisit their cookie consent mechanism and cookie policy to make sure it is aligned with this clear guidance from the EU’s highest court.


Please enter your comment!
Please enter your name here