ECJ (Case C‑673/17, Planet49): Con­sent to the set­ting of coo­kies must be actively given

In its ruling of Octo­ber 1, 2019 (Judgment in Case C‑673/17, Planet49) ruled that pre-set check­bo­xes, which the user must desel­ect in order to refu­se con­sent, do not satis­fy the requi­re­ment of con­sent to the use of coo­kies for adver­ti­sing pur­po­ses. It is irrele­vant whe­ther the data stored by the coo­kies is a pro­ce­s­sing of per­so­nal data or not. All user infor­ma­ti­on stored on ter­mi­nal devices, whe­ther with or wit­hout a per­so­nal refe­rence, is part of their pri­va­cy and must the­r­e­fo­re be pro­tec­ted under Uni­on law.

With its decis­i­on, the ECJ has cla­ri­fi­ed the “how” of con­sent accor­ding to the Coo­kie Direc­ti­ve and the Gene­ral Data Pro­tec­tion Regu­la­ti­on: if con­sent is requi­red – as is the case here accor­ding to the Coo­kie Direc­ti­ve – this con­sent must be actively given.

The “whe­ther” con­sent was requi­red under the Gene­ral Data Pro­tec­tion Regu­la­ti­on was not the sub­ject of the ruling.

Howe­ver, the ruling crea­tes fur­ther cla­ri­ty regar­ding the scope of the infor­ma­ti­on obli­ga­ti­ons of ser­vice pro­vi­ders. With regard to coo­kies, they must also inform users about the dura­ti­on of the func­tion and the access opti­ons of third parties.