A new European court ruling has banned pre-ticked cookie consent forms under GDPR rules.
The Court of Justice of the European Union (CJEU) this morning ruled that storing cookies requires internet users’ active consent. It’s not good enough, says the CJEU, to present users with a pre-checked box and require them to click it to opt out.
“That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data,” says the CJEU in a statement.
“EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.”
The ruling stems from a 2013 case when the German Federation of Consumer Organizations took legal action against online lottery company Planet49, which had a pre-ticked checkbox to authorise the use of cookies.
The cookies – data sent from a website and stored on a user’s computer – collected information to help target advertisements for products offered by Planet49’s partners.
The consumer organisation argued this was illegal because the authorisation did not involve explicit consent from the user.
The German Federal Court of Justice asked for guidance from the EU’s highest court to rule on the case in relation to EU laws on internet privacy. The EU court sided with the German consumer group, saying EU law aimed to protect consumers from interference with their private lives.
“A pre-ticked check box is therefore insufficient,” the court said in a press release, adding that cookie consent must be specific and explicit and that clicking a button to participate in a game or browsing a website, and through that allowing cookies, was not enough.
The Norwegian Research Center for Computers and Law at the University of Oslo said in a statement that the ruling is “likely to have a significant impact on the ongoing negotiations on the ePrivacy regulation which is set to regulate cookie usage.”
Several of the largest internet companies, such as Facebook and Twitter currently have implicit cookie consent, where by using the site, consent is deemed to have been given.