COOKIES. CONSENT. COMPLIANCE
secure privacy badge logo
February 3, 2020

GDPR: What the CJEU Cookie Ruling Means for Businesses

The Court of Justice of the European Union delivered a ruling on October 1, 2019, which stated that businesses must obtain active, freely given, specific, informed, and unambiguous consent from consumers before storing cookies in their devices.

The Court of Justice of the European Union delivered a ruling on October 1, 2019, which stated that businesses must obtain active, freely given, specific, informed, and unambiguous consent from consumers before storing cookies in their devices.

The CJEU’s specific directive was that opt-out consent through a pre-checked checkbox is not adequate consent for the storage of cookies in users’ devices. This ruling applies to any website that employees tracking cookies, a majority of which do not seek GDPR-level consent.

What is the Background of the CJEU Cookie Ruling?

This case was brought to the CJEU after Planet49, a German online gaming company, presented its customers wishing to take part in its online lottery with two checkboxes whereby:

  • The first checkbox requested the data subject’s permission to give sponsors and cooperation partners consent to provide the user with information about their businesses. This checkbox was unchecked by default, and the data subject actively had to select the box to indicate his or her consent.
  • The second checkbox requested the data subject’s consent for the use of cookies that may allow Planet49 and other websites to track the data subject’s browsing activity across websites and to provide tracking data to advertising partners. This checkbox was automatically checked by default and the data subject had to actively deselect the box to opt-out of this use of his or her information.

The German Federation of Consumer Organizations challenged Planet49’s practice of obtaining consent in the German courts and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.

What are the Key Issues the CJEU Addressed in the Cookie Ruling?

Question 1: Is a pre-checked checkbox that the user must actively untick to withdraw their consent constitute valid consent under the ePrivacy Directive, as well as the Data Protection Directive (DPD) and the General Data Protection Regulation (GDPR)?

CJEU Ruling: Pre-checked boxes to obtain cookie consent do NOT constitute valid consent according to Recital 17 of the ePrivacy Directive, Article 32 of the GDPR or the DPD. The Court expressed that the consent must constitute a freely given, specific and informed indication of users' wishes, which may be manifested in the form of "ticking a box when visiting an internet website"

Question 2: Does it matter whether the data stored or accessed using cookies is personal information?

CJEU Ruling: Regardless of whether cookies process personal data or not, clear, active consent is required from users.

Question 3: What kind of disclosures must be made to users as part of the transparency requirements of the ePrivacy Directive?

CJEU Ruling: Website operators must make prior disclosures to consumers about;

(i)The duration for which their data is processed in line with the GDPR

(ii)Whether or not third parties have access to the information, and if so, which third-parties

What Questions did the CJEU Cookie Ruling Fail to Clarify?

  • The CJEU Ruling left open question of ‘cookie walls’ since it does not clarify as to whether the requirement for consent to be “freely given” under Article 2(h) of the DPD, as well as Article 4(11) and Article 7(4) of the  GDPR is compatible with requiring a user to consent to the processing of their data for advertising purposes as a prerequisite for participation in a promotional lottery.
  • The Ruling also failed to clarify whether the question of implied consent amounts to violations of both the ePrivacy Directive and the GDPR.
  • The CJEU did not offer guidance on how consent for different kinds of cookies should be obtained. The question of whether companies need to obtain uniform consent for all cookies or seek consent for each cookie was not addressed.

What is the Impact of the CJEU Cookie Ruling on Companies?

Following the cookie ruling, businesses need to;

  • Obtain active, clear, and specific consent for the use of cookies. Pre-checked boxes should NOT be used. Similarly, implied consent in the form of, ‘by continuing to browse this website, you agree to the use of cookies’ should be avoided.
  • Reform their cookie policy to make users aware of the duration of cookies they agree to
  • Review their cookie policies to provide prior disclosure to consumers about third parties that have access to their information. In this case, the general statement that ‘third parties may have access to the cookie data’ is not enough. It is vital to identify every third-party individually.

Secure Privacy is a software solution that helps you handle cookie consent, monitoring, and control on your website in line with the requirements of the GDPR.

For additional queries or concerns, book a call with us today for personalized support on how to manage cookies on your website and become GDPR compliant

Additional Resources;

Learn more about GDPR and the ePrivacy Directive with our comprehensive summaries of the EU’s data protection laws

Download your free GDPR and ePrivacy Directive e-book straight into your inbox

 

logo

Get Started For Free with the
#1 Cookie Consent Platform.

tick

No credit card required

Sign-up for FREE

image

GDPR Compliance Automation: Complete Guide & Tool Comparison

Your privacy team is drowning in manual GDPR workflows. Data subject access requests pile up for weeks. Data mapping takes months instead of minutes. Your spreadsheet-based consent records can't scale to millions of users. Meanwhile, European regulators issued €1.2 billion in GDPR fines last year alone, and your current compliance approach can't keep pace with enforcement intensity or business growth. GDPR compliance automation transforms this reality by applying intelligent technology to streamline, accelerate, and enhance the accuracy of data protection activities. Organizations implementing comprehensive automation report 85-97% reduction in compliance workloads while improving accuracy and reducing regulatory risk by up to 75%. This guide explains what GDPR compliance can be automated, which processes require human judgment, how to select automation platforms, and what ROI you can expect from intelligent privacy technology investments.

    image

    What is ad_user_data in Google Consent Mode v2 — and Why It Matters for Your Ads

    Your Google Ads conversion tracking just stopped working in Europe. Campaign performance dropped 30% overnight. Google Tag Assistant shows consent signal errors. You're seeing warnings about missing Consent Mode v2 implementation, but you're not sure what ad_user_data means or why Google suddenly requires it.

      cookie consent best practices

      Cookie Consent Best Practices: Getting your Website Compliant in 2025

      Your website just lost another potential customer. Not because of your product, pricing, or user experience — but because your cookie banner frustrated them into clicking away. Sound familiar?

      • Cookie Consent