- Preset checkboxes are not sufficient as consent; users must actively agree.
- Protection applies to all information stored on end devices, whether personal or not.
- The ruling clarifies the “how” of the consent obligation under the Cookie Directive and GDPR: active consent required.
- Service providers must provide comprehensive information about the duration of cookies and third-party access.
In its ruling of October 1, 2019 (Judgment in Case C‑673/17, Planet49) ruled that pre-set checkboxes, which the user must deselect in order to refuse consent, do not satisfy the requirement of consent to the use of cookies for advertising purposes. It is irrelevant whether the data stored by the cookies is a processing of personal data or not. All user information stored on terminal devices, whether with or without a personal reference, is part of their privacy and must therefore be protected under Union law.
With its decision, the ECJ has clarified the “how” of consent according to the Cookie Directive and the General Data Protection Regulation: if consent is required – as is the case here according to the Cookie Directive – this consent must be actively given.
The “whether” consent was required under the General Data Protection Regulation was not the subject of the ruling.
However, the ruling creates further clarity regarding the scope of the information obligations of service providers. With regard to cookies, they must also inform users about the duration of the function and the access options of third parties.