{"id":1127,"date":"2022-01-17T13:57:00","date_gmt":"2022-01-17T13:57:00","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=1127"},"modified":"2026-03-12T09:15:13","modified_gmt":"2026-03-12T08:15:13","slug":"planet49","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/en\/planet49\/","title":{"rendered":"Planet49 and EU GDPR"},"content":{"rendered":"\n<p><a href=\"https:\/\/admin.cookiebot.com\/signup\">Try Cookiebot CMP free for 14 days<\/a>... or forever if you have a small website.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-are-cookies-allowed-to-be-pre-checked\">Are cookies allowed to be pre-checked?<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/curia.europa.eu\/jcms\/upload\/docs\/application\/pdf\/2019-10\/cp190125en.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">official press release<\/a>&nbsp;from the CJEU evaporates any confusion: it is titled <strong><em>Storing cookies requires internet users\u2019 active consent<\/em><\/strong>&nbsp;and makes it clear that&nbsp;<em>\u201ca pre-ticked checkbox is therefore insufficient\u201d.<\/em><\/p>\n\n\n\n<p>Any cookies not <strong>strictly necessary<\/strong>&nbsp;are prohibited from being pre-checked, <strong>regardless of whether the data processed is categorized as personal<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter is-resized is-style-cb-rounded\"><img loading=\"lazy\" decoding=\"async\" src=\"\/media\/4333\/consent_en.png?width=500&amp;\" alt=\"Cookieboot Pop Up Banner - Cookiebot\" width=\"770\" height=\"449\"\/><figcaption class=\"wp-element-caption\">A valid cookie consent banner in the EU,&nbsp;according to the CJEU ruling.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-edpb-guidelines-on-valid-consent\">EDPB guidelines on valid consent<\/h3>\n\n\n\n<p>In May 2020, the <a href=\"\/en\/edpb-guidelines\/\">European Data Protection Board (EDPB) adopted guidelines on valid consent in the EU<\/a>. The EDPB guidelines support the CJEU's ruling in the case of Planet49, but also covers other aspects of what constitutes valid consent under the GDPR.<\/p>\n\n\n\n<p>The EDPB guidelines specify that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No pre-ticked checkboxes allowed on consent banner.<\/li>\n\n\n\n<li>Scrolling and continued browsing is not valid consent.<\/li>\n\n\n\n<li>Cookie walls (forced consent) is not valid consent.<\/li>\n<\/ul>\n\n\n\n<p><a href=\"\/en\/edpb-guidelines\/\">Learn more about the EDPB guidelines on valid consent<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-cjeu-and-planet49\">CJEU and Planet49<\/h2>\n\n\n\n<p>The Court of Justice of the European Union (CJEU) is the highest legal body in the EU. It is made up of two courts, the Court of Justice and the General Court - the former comprised of one judge from each EU country plus eleven advocates general, the latter two judges with eleven advocates general.<\/p>\n\n\n\n<p>The CJEU interprets EU law to make sure it is applied in the same way in all EU countries, settle legal disputes between national governments and EU institutions, and in this case, interprets EU law to set legal precedents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-case-of-planet49\">The case of Planet49<\/h3>\n\n\n\n<p>To understand the context of the CJEU ruling on valid consent in the EU, let\u2019s briefly explain the case of <strong>Planet49<\/strong>.<\/p>\n\n\n\n<p>It sounds like a sci-fi novel from the 1950s but is in fact a German online gaming company that in 2013 organized an online promotional lottery that required users to give personal information in order to participate.<\/p>\n\n\n\n<p>The input fields, where users were to enter in their data, were accompanied by two bodies of explanatory text and by checkboxes, <strong>one of which was pre-checked<\/strong>.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/www.consumersinternational.org\/members\/members\/federation-of-german-consumer-organisations-vzbv\/\" target=\"_blank\" rel=\"noreferrer noopener\">German Federation on Consumer Organizations<\/a>&nbsp;challenged Planet49\u2019s practice of obtaining consent in the German courts, and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.<\/p>\n\n\n\n<p>The judgement that came on Tuesday October 1, 2019 from the CJEU cleared away any doubt to the case of Planet49, but what\u2019s more: it also creates a strong precedent for how EU privacy legislations are to be interpreted alongside each other.<\/p>\n\n\n\n<p><a href=\"https:\/\/curia.europa.eu\/juris\/document\/document_print.jsf?docid=218462&amp;text=&amp;dir=&amp;doclang=EN&amp;part=1&amp;occ=first&amp;mode=req&amp;pageIndex=0&amp;cid=1415539\" target=\"_blank\" rel=\"noreferrer noopener\">The CJEU\u2019s complete judgement in English<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-cjeu-ruling-on-valid-consent\">CJEU ruling on valid consent<\/h2>\n\n\n\n<p>The CJEU\u2019s ruling can be understood as a thread that weaves together the <strong>ePrivacy Directive<\/strong>&nbsp;of 2002 (amended in 2009), the older <strong>1995 Directive<\/strong>&nbsp;and the <strong>General Data Protection Regulation<\/strong>&nbsp;(GDPR) of 2018.<\/p>\n\n\n\n<p>These EU privacy legislations aim to <strong>protect the user from any interference with his or her private life<\/strong>, in particular, from the risk that hidden identifiers and other similar devices enter those users\u2019 terminal equipment without their knowledge.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter is-resized is-style-cb-rounded\"><img loading=\"lazy\" decoding=\"async\" src=\"\/media\/3726\/1200px-flag_of_europesvg.png?width=405&amp;amp\" alt=\"Flag of European Union - Cookiebot\" width=\"770\" height=\"513\"\/><figcaption class=\"wp-element-caption\">The CJEU ruling on valid consent changes the practice of analyzing user behavior on websites.<\/figcaption><\/figure>\n\n\n\n<p>The CJEU ruling concerns the interpretation of Article 2(f) and Article 5(3) of the <strong>ePrivacy Directive<\/strong>&nbsp;2002\/2009, read in conjunction with Article 2(h) of the <strong>1995 Directive<\/strong>&nbsp;and Article 6(1)(a) of the <strong>General Data Protection Regulation<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-explicit-consent-is-the-only-valid-consent-in-eu-cjeu-rules\">Explicit consent is the only valid consent in EU, CJEU rules<\/h3>\n\n\n\n<p>The CJEU ruled that the abovementioned articles must be interpreted to mean that <strong>consent is not valid<\/strong>&nbsp;if given by way of <strong>pre-checked checkboxes<\/strong>&nbsp;which the users must deselect to refuse their consent.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-all-user-data-require-same-explicit-consent\">All user data require same explicit consent<\/h3>\n\n\n\n<p>The CJEU also ruled that the articles from the EU privacy legislations are <strong>not to be interpreted differently<\/strong>&nbsp;according to whether or not the information stored or accessed is <strong>personal data<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-obligation-to-inform-of-duration-and-third-party-access\">Obligation to inform of duration and third-party access<\/h3>\n\n\n\n<p>Furthermore, the CJEU also ruled that websites and service providers must <strong>inform their users on the duration<\/strong>&nbsp;of the cookies on their website, and whether or not <strong>third parties have access to user data<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-summary-on-cjeu-and-valid-consent\">Summary on CJEU and valid consent<\/h2>\n\n\n\n<p>The only valid form of consent for processing user data in the EU is explicit consent. Pre-checked checkboxes on website cookie banners are a no-go, except for strictly necessary cookies.<\/p>\n\n\n\n<p>Consent must be specific and given actively by the user by ticking a box, not by de-ticking a box that is already ticked. Consent is also only valid if the users have been informed about the duration of the cookies in operation, and whether any third parties will have access to their data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-explicit-consent-vs-implied-consent\">Explicit consent vs. Implied consent<\/h2>\n\n\n\n<p>Now you might be wondering what to do about your website\u2019s consent management and how to be sure that you are compliant with the CJEU ruling that is binding in all 28 EU member states?<\/p>\n\n\n\n<p>Let\u2019s sort out the terminology\u2026<\/p>\n\n\n\n<p>Explicit consent is also known in the CJEU\u2019s ruling as active consent, because it regards consent as an action on part of the end-user that is active, affirmative and specific.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-explicit-consent\">Explicit consent<\/h3>\n\n\n\n<p>Explicit consent has been known so far as the specific type of consent that a website must obtain, when processing sensitive personal information (such as political convictions, religious beliefs, health data).<\/p>\n\n\n\n<p>However, with the CJEU ruling, all user data \u2013 regardless of whether it\u2019s personal or sensitive or neither \u2013 is only to be processed after the end-users have given their explicit consent, also called active consent in the official ruling by the CJEU.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-implied-consent\">Implied consent<\/h3>\n\n\n\n<p>Implied consent, on the other hand, is the type of consent that has so far been valid in the EU, if your website only processes personal data (not sensitive personal data).<\/p>\n\n\n\n<p>This type of consent is also known as soft opt in. If a user visits a website and is presented with a cookie consent banner but chooses not to click \u201cokay\u201d but instead to keep scrolling or visits another subpage on the domain, this activity on part of the users constitutes valid consent, even if the user is not aware of it.<\/p>\n\n\n\n<p><strong>This type of consent is no longer valid in the EU.<\/strong><\/p>\n\n\n\n<p>However, it is still a form of consent that is valid in other privacy legislations around the world, such as the <a href=\"\/en\/lgpd\/\">Brazilian LGPD<\/a>&nbsp;that was closely modelled after the EU GDPR.<\/p>\n\n\n\n<p>Before the ruling, a valid consent banner could have pre-checked boxes for necessary, preference and statistical cookies \u2013 marketing cookies could not.<\/p>\n\n\n\n<p>With the CJEU ruling, only necessary cookies are allowed to be pre-checked.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-consent-management-on-your-website\">Consent&nbsp;management on your website<\/h2>\n\n\n\n<p>With the CJEU ruling, websites are not allowed to have cookie consent banners with pre-checked checkboxes. We here at <a href=\"http:\/\/www.usercentrics.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Usercentrics<\/a>, the parent-company of <a href=\"\/\">Cookiebot CMP<\/a>, are on the front of the privacy fight, protecting the privacy of your end-users while bringing balanced and thorough consent management to your website.<\/p>\n\n\n\n<p><a href=\"\/\">Cookiebot CMP<\/a>&nbsp;is a consent management solution that scans your domain and finds all cookies and trackers, blocks everything until our end-users have given their explicit consent and then securely stores all user consents for legal documentation.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/media\/4334\/cookiebot-by-usercentrics-blue.png?width=500&amp;\" alt=\"Cookiebot Logo - Cookiebot\" width=\"572\" height=\"171\"\/><figcaption class=\"wp-element-caption\">Our consent solution enables compliance with the CJEU ruling.<\/figcaption><\/figure>\n\n\n\n<p><a href=\"\/\">Cookiebot CMP<\/a>&nbsp;enables your website to be compliant with the CJEU ruling (with the ePrivacy Directive and the GDPR), as well as other data privacy laws around the world, from the <a href=\"\/en\/ccpa\/\">CCPA<\/a>&nbsp;to the <a href=\"\/en\/lgpd\/\">LGPD<\/a>.<\/p>\n\n\n\n<p><a href=\"https:\/\/admin.cookiebot.com\/signup\">Try the Cookiebot CMP solution for free today<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-consequences-for-you-the-website-owner-operator\">Consequences for you, the website owner\/operator<\/h2>\n\n\n\n<p>The CJEU ruling has consequences for almost all websites in the EU, regardless of size and shape, if they use cookies that aren\u2019t only strictly necessary for their most basic operation.<\/p>\n\n\n\n<p>The CJEU ruling also has consequences for <strong>websites outside of the EU<\/strong>. If your website is located outside of Europe, but you have European users and therefore process data of European citizens, you are obligated to follow the CJEU ruling.<\/p>\n\n\n\n<p>You must obtain the <strong>explicit consent<\/strong>&nbsp;of EU citizens before setting any cookies on their devices that aren\u2019t strictly necessary.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-analytics-and-valid-consent\">Analytics and valid consent<\/h3>\n\n\n\n<p>It is also no surprise that compliance with the CJEU ruling means significant changes to how you might be running your website.<\/p>\n\n\n\n<p>If you use Google Analytics,&nbsp;Matomo or similar analytics tools, as most websites around the world do, to optimize your website and its operations, this ruling can cripple your insight and statistics flow.<\/p>\n\n\n\n<p>Why? Well, you can\u2019t have pre-checked checkboxes on your cookie consent banner, apart from the strictly necessary ones. This means that you will have to rely on your users to opt in to those categories that serve you statistical and analytical information about their behavior on your domain.<\/p>\n\n\n\n<p>To be compliant with the EU privacy precedent from the CJEU means much stronger and more real privacy for EU end-users, but \u2013 probably \u2013 a loss in analytical data about your users for your website.<\/p>\n\n\n\n<p>For now, this is the new privacy landscape in the EU. It undoubtably increases the anticipation for the long-awaited ePrivacy Regulation, as we wait to see whether it consolidates this privacy development or moves the legal frontier once more.<\/p>\n\n\n\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>Try Cookiebot CMP free for 14 days... or forever if you have a small website. Are cookies allowed to be pre-checked? The official press release&nbsp;from the CJEU evaporates any confusion: it is titled Storing cookies requires internet users\u2019 active consent&nbsp;and makes it clear that&nbsp;\u201ca pre-ticked checkbox is therefore insufficient\u201d. Any cookies not strictly necessary&nbsp;are prohibited [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":1129,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1127","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2022\/01\/1200px-flag_of_europesvg_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/1127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=1127"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/1127\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media\/1129"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=1127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/categories?post=1127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=1127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}