Europe’s top court rules tracking cookies need active consent

As part of a case between consumer groups in Germany and the website Planet49, Europe’s top court has ruled that pre-checked consent boxes, or assumed consent, for analytics and tracking cookies are not legally valid – in any circumstances and violate the GDPR and ePrivacy Directive.

Consent for tracking and analytics cookies must be obtained prior to storing or accessing these non-essential cookies in the view of the Court. 

Consent cannot be implied, assumed, predicted, anticipated, or, well, you get the idea.

It’s a decision that will put various websites into legal hot water in Europe if their cookie notices don’t ask for consent before setting analytics, advertising, or tracking cookies. As many websites don’t do this, preferring not to put at risk their ability to track users for ad targeting and analytics purposes.

Website owners and businesses could now be risking big fines under EU privacy laws, and presumably the GDPR if they don’t obtain valid consent for tracking their website visitors.

In the press release, relating to the Planet49 case, the court writes:

In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent.

That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.

The Court notes that consent must be specific so that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.

Furthermore, according to the Court, the information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

So the long and short of it is that pre-checked consent boxes (or cookie banners that tell you a cookie has already been saved to your computer and pointlessly invite you to click an ‘accept’ or ‘ok’ button) aren’t valid under EU law in any situation.