GDPR: What the CJEU Cookie Ruling Means for Businesses
The Court of Justice of the European Union delivered a ruling on October 1, 2019, which stated that businesses must obtain active, freely given, specific, informed, and unambiguous consent from consumers before storing cookies in their devices.
The Court of Justice of the European Union delivered a ruling on October 1, 2019, which stated that businesses must obtain active, freely given, specific, informed, and unambiguous consent from consumers before storing cookies in their devices.
The CJEU’s specific directive was that opt-out consent through a pre-checked checkbox is not adequate consent for the storage of cookies in users’ devices. This ruling applies to any website that employees tracking cookies, a majority of which do not seek GDPR-level consent.
What is the Background of the CJEU Cookie Ruling?
This case was brought to the CJEU after Planet49, a German online gaming company, presented its customers wishing to take part in its online lottery with two checkboxes whereby:
- The first checkbox requested the data subject’s permission to give sponsors and cooperation partners consent to provide the user with information about their businesses. This checkbox was unchecked by default, and the data subject actively had to select the box to indicate his or her consent.
- The second checkbox requested the data subject’s consent for the use of cookies that may allow Planet49 and other websites to track the data subject’s browsing activity across websites and to provide tracking data to advertising partners. This checkbox was automatically checked by default and the data subject had to actively deselect the box to opt-out of this use of his or her information.
The German Federation of Consumer Organizations challenged Planet49’s practice of obtaining consent in the German courts and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.
What are the Key Issues the CJEU Addressed in the Cookie Ruling?
Question 1: Is a pre-checked checkbox that the user must actively untick to withdraw their consent constitute valid consent under the ePrivacy Directive, as well as the Data Protection Directive (DPD) and the General Data Protection Regulation (GDPR)?
CJEU Ruling: Pre-checked boxes to obtain cookie consent do NOT constitute valid consent according to Recital 17 of the ePrivacy Directive, Article 32 of the GDPR or the DPD. The Court expressed that the consent must constitute a freely given, specific and informed indication of users' wishes, which may be manifested in the form of "ticking a box when visiting an internet website"
Question 2: Does it matter whether the data stored or accessed using cookies is personal information?
CJEU Ruling: Regardless of whether cookies process personal data or not, clear, active consent is required from users.
Question 3: What kind of disclosures must be made to users as part of the transparency requirements of the ePrivacy Directive?
CJEU Ruling: Website operators must make prior disclosures to consumers about;
(i)The duration for which their data is processed in line with the GDPR
(ii)Whether or not third parties have access to the information, and if so, which third-parties
What Questions did the CJEU Cookie Ruling Fail to Clarify?
- The CJEU Ruling left open question of ‘cookie walls’ since it does not clarify as to whether the requirement for consent to be “freely given” under Article 2(h) of the DPD, as well as Article 4(11) and Article 7(4) of the GDPR is compatible with requiring a user to consent to the processing of their data for advertising purposes as a prerequisite for participation in a promotional lottery.
- The Ruling also failed to clarify whether the question of implied consent amounts to violations of both the ePrivacy Directive and the GDPR.
- The CJEU did not offer guidance on how consent for different kinds of cookies should be obtained. The question of whether companies need to obtain uniform consent for all cookies or seek consent for each cookie was not addressed.
What is the Impact of the CJEU Cookie Ruling on Companies?
Following the cookie ruling, businesses need to;
- Obtain active, clear, and specific consent for the use of cookies. Pre-checked boxes should NOT be used. Similarly, implied consent in the form of, ‘by continuing to browse this website, you agree to the use of cookies’ should be avoided.
- Reform their cookie policy to make users aware of the duration of cookies they agree to
- Review their cookie policies to provide prior disclosure to consumers about third parties that have access to their information. In this case, the general statement that ‘third parties may have access to the cookie data’ is not enough. It is vital to identify every third-party individually.
Secure Privacy is a software solution that helps you handle cookie consent, monitoring, and control on your website in line with the requirements of the GDPR.
For additional queries or concerns, book a call with us today for personalized support on how to manage cookies on your website and become GDPR compliant.
Additional Resources;
Learn more about GDPR and the ePrivacy Directive with our comprehensive summaries of the EU’s data protection laws
Download your free GDPR and ePrivacy Directive e-book straight into your inbox
Get Started For Free with the
#1 Cookie Consent Platform.
No credit card required

Personalization Without Privacy Violations: Tactics & Tools for GDPR & CCPA Compliance
Your personalization strategy is a privacy violation waiting to happen. While customers demand tailored experiences, personalization privacy compliance has become the make-or-break factor that determines whether your customization efforts build trust or trigger devastating regulatory penalties.
- Legal & News
- Data Protection
- GDPR

First-Party Data Collection & Compliance: Best Practices for GDPR & CCPA in 2025
Your marketing strategy depends on first-party data collection compliance, but navigating the complex web of privacy regulations can feel overwhelming. With GDPR fines reaching €20 million, CCPA penalties expanding under CPRA, and 20+ US states enacting comprehensive privacy laws by 2025, collecting customer data legally has never been more critical—or complicated.
- Legal & News
- Data Protection
- GDPR
- CCPA

Customer Journey Mapping Under GDPR & CCPA: How to Embed Privacy at Every Touchpoint
Your customer journey maps are exposing you to massive privacy violations and regulatory penalties — and you might not even realize it. Most organizations approach customer journey mapping GDPR compliance as an afterthought, failing to integrate privacy requirements into each touchpoint where personal data flows through their customer experience.
- Legal & News
- Data Protection
- GDPR