Updated June 22, 2020.
On October 1, 2019, the highest legal entity of the EU, the Court of Justice of the European Union (CJEU), ruled in the case of Planet49 that the only form of valid consent for processing user data in the EU is explicit consent, i.e. consent that is actively and specifically given by the website users by e.g. ticking a box.
This verdict is the first post GDPR that deals explicitly with consent relating to website cookies and tracking. Therefore, it is of great importance to the privacy industry and to all website owners, establishing a legal precedent that has a de facto effect on the legal requirements for cookies moving forward and until the ePrivacy Regulation is enforced.
In this blogpost, we give clarity on the CJEU’s ruling, clear up the terminology on consent (explicit/implied, active/soft opt in), and explain in plain terms what the consequences are for websites owners and operators, not just in the EU, but across the planet.
This is a watershed moment for data privacy in the European Union.
The Planet49 ruling will have far-reaching consequences not only for data privacy, but for how the Internet works.
The CJEU is the highest legal body in the European Union and their verdict – a red thread that weaves together the existing EU data privacy legislations – creates a strong precedent that significantly changes the rules around the processing of data in the EU and of EU citizens.
A precedent that can only be overturned by the passing of new data laws, such as the coming ePrivacy Regulation, expected in 2020.
In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.
Try Cookiebot free for 30 days... or forever if you have a small website.
The official press release from the CJEU evaporates any confusion: it is titled Storing cookies requires internet users’ active consent and makes it clear that “a pre-ticked checkbox is therefore insufficient”.
Any cookies not strictly necessary are prohibited from being pre-checked, regardless of whether the data processed is categorized as personal.
A valid cookie consent banner in the EU, according to the CJEU ruling.
In May 2020, the European Data Protection Board (EDPB) adopted guidelines on valid consent in the EU. The EDPB guidelines support the CJEU's ruling in the case of Planet49, but also covers other aspects of what constitutes valid consent under the GDPR.
The EDPB guidelines specify that:
The Court of Justice of the European Union (CJEU) is the highest legal body in the EU. It is made up of two courts, the Court of Justice and the General Court - the former comprised of one judge from each EU country plus eleven advocates general, the latter two judges with eleven advocates general.
The CJEU interprets EU law to make sure it is applied in the same way in all EU countries, settle legal disputes between national governments and EU institutions, and in this case, interprets EU law to set legal precedents.
To understand the context of the CJEU ruling on valid consent in the EU, let’s briefly explain the case of Planet49.
It sounds like a sci-fi novel from the 1950s but is in fact a German online gaming company that in 2013 organized an online promotional lottery that required users to give personal information in order to participate.
The input fields, where users were to enter in their data, were accompanied by two bodies of explanatory text and by checkboxes, one of which was pre-checked.
The German Federation on Consumer Organizations challenged Planet49’s practice of obtaining consent in the German courts, and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.
The judgement that came on Tuesday October 1, 2019 from the CJEU cleared away any doubt to the case of Planet49, but what’s more: it also creates a strong precedent for how EU privacy legislations are to be interpreted alongside each other.
The CJEU’s ruling can be understood as a thread that weaves together the ePrivacy Directive of 2002 (amended in 2009), the older 1995 Directive and the General Data Protection Regulation (GDPR) of 2018.
These EU privacy legislations aim to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
The CJEU ruling on valid consent changes the practice of analyzing user behavior on websites.
The CJEU ruling concerns the interpretation of Article 2(f) and Article 5(3) of the ePrivacy Directive 2002/2009, read in conjunction with Article 2(h) of the 1995 Directive and Article 6(1)(a) of the General Data Protection Regulation.
The CJEU ruled that the abovementioned articles must be interpreted to mean that consent is not valid if given by way of pre-checked checkboxes which the users must deselect to refuse their consent.
The CJEU also ruled that the articles from the EU privacy legislations are not to be interpreted differently according to whether or not the information stored or accessed is personal data.
Furthermore, the CJEU also ruled that websites and service providers must inform their users on the duration of the cookies on their website, and whether or not third parties have access to user data.
The only valid form of consent for processing user data in the EU is explicit consent. Pre-checked checkboxes on website cookie banners are a no-go, except for strictly necessary cookies.
Consent must be specific and given actively by the user by ticking a box, not by de-ticking a box that is already ticked. Consent is also only valid if the users have been informed about the duration of the cookies in operation, and whether any third parties will have access to their data.
Now you might be wondering what to do about your website’s consent management and how to be sure that you are compliant with the CJEU ruling that is binding in all 28 EU member states?
Let’s sort out the terminology…
Explicit consent is also known in the CJEU’s ruling as active consent, because it regards consent as an action on part of the end-user that is active, affirmative and specific.
Explicit consent has been known so far as the specific type of consent that a website must obtain, when processing sensitive personal information (such as political convictions, religious beliefs, health data).
However, with the CJEU ruling, all user data – regardless of whether it’s personal or sensitive or neither – is only to be processed after the end-users have given their explicit consent, also called active consent in the official ruling by the CJEU.
Implied consent, on the other hand, is the type of consent that has so far been valid in the EU, if your website only processes personal data (not sensitive personal data).
This type of consent is also known as soft opt in. If a user visits a website and is presented with a cookie consent banner but chooses not to click “okay” but instead to keep scrolling or visits another subpage on the domain, this activity on part of the users constitutes valid consent, even if the user is not aware of it.
This type of consent is no longer valid in the EU.
However, it is still a form of consent that is valid in other privacy legislations around the world, such as the Brazilian LGPD that was closely modelled after the EU GDPR.
Before the ruling, a valid consent banner could have pre-checked boxes for necessary, preference and statistical cookies – marketing cookies could not.
With the CJEU ruling, only necessary cookies are allowed to be pre-checked.
With the CJEU ruling, websites are not allowed to have cookie consent banners with pre-checked checkboxes. We here at Cookiebot are on the front of the privacy fight, protecting the privacy of your end-users while bringing balanced and thorough consent management to your website.
Cookiebot is a consent management solution that scans your domain and finds all cookies and trackers, blocks everything until our end-users have given their explicit consent and then securely stores all user consents for legal documentation.
Our consent solution enables compliance with the CJEU ruling.
The CJEU ruling also has consequences for websites outside of the EU. If your website is located outside of Europe, but you have European users and therefore process data of European citizens, you are obligated to follow the CJEU ruling.
You must obtain the explicit consent of EU citizens before setting any cookies on their devices that aren’t strictly necessary.
It is also no surprise that compliance with the CJEU ruling means significant changes to how you might be running your website.
If you use Google Analytics, Matomo or similar analytics tools, as most websites around the world do, to optimize your website and its operations, this ruling can cripple your insight and statistics flow.
Why? Well, you can’t have pre-checked checkboxes on your cookie consent banner, apart from the strictly necessary ones. This means that you will have to rely on your users to opt in to those categories that serve you statistical and analytical information about their behavior on your domain.
To be compliant with the EU privacy precedent from the CJEU means much stronger and more real privacy for EU end-users, but – probably – a loss in analytical data about your users for your website.
For now, this is the new privacy landscape in the EU. It undoubtably increases the anticipation for the long-awaited ePrivacy Regulation, scheduled to emerge as law in 2020, as we wait to see whether it consolidates this privacy development or moves the legal frontier once more.
The Court of Justice of the European Union (CJEU) is the highest legal body in the EU and their rulings and decisions create precedents for how EU law is the be interpreted and enforced in each EU member state. The CJEU consists of one judge from each EU country and eleven advocates general.
The ruling in the case of Planet49 by the CJEU concerned the interpretation of the GDPR’s requirement for consent as a legal basis for the legal processing of personal data. The German online gaming company Planet49 obtained user consent on their website through pre-ticked checkboxes, and the CJEU ruled that consent is not valid if given by way of pre-ticked checkboxes which users must deselect in order to refuse consent.
The CJEU ruling – along with the EDPB guidelines on valid consent from May 2020 – means that your website is not allowed to have pre-ticked checkboxes on its consent banners. The only valid form of consent in the EU under the GDPR is when a user makes a clear and affirmative action, such as selecting a checkbox and subsequently clicking OK.
Your website must always obtain the prior consent of its users before processing any of their personal data. Most cookies process personal data such as IP addresses, browser and search history, and a consent management platform can be an easy way of making sure that all data processing on your domain happens on a lawful basis.