Skip to Content

A familiar sight for internet users will soon be a thing of the past for those in the European Union.

While awaiting specific guidance from EU authorities, many companies attempted to obtain user consent by implementing pre-ticked “Agree and Proceed” cookie banners on their websites.

Users must now give explicit consent to accept website cookies

The EU Court of Justice ruled October 1 that pre-ticked cookie consent boxes are no longer sufficient. Users must now give explicit and active consent before a site may place cookies on a user’s device—meaning users must check the consent box (or boxes) themselves.

The mind-numbing nature of cookie consent boxes lead many to ignore them altogether or click whatever option will make them go away the fastest.

Cookie consent must now be explained in each use

Following this week’s ruling, in addition to no longer pre-checking the consent box, a website must now get a user’s explicit affirmative consent for each separate instance of cookie use. Websites must also list the names of all companies controlling the tracking technology and disclose the cookies’ duration. Websites also cannot roll up consent with seemingly unrelated actions, like downloading a PDF or accessing normal features of the site.

How did we get here?

This ruling stems from the 2013 case Planet49 GmbH v. Bundersverband der Verbraucherzentralen und Verbraucherverbande – Verbraucherzentrale Bundersverband e.V, where the German Federation of Consumer Organizations (GFCO) sued an online lottery company for its use of pre-ticked checkboxes to authorize cookie use, arguing the authorization did not involve explicit consent from the user and was therefore illegal.

The German Federal Court of Justice asked the EU Court of Justice for guidance, and an advocate general delivered an opinion in favor of the GFCO in March 2019. The October 1 ruling by the Court of Justice signifies the high court’s endorsement of the advocate general’s conclusions.

The ruling offers clarity for EU country representatives working on a new GDPR-esque e-Privacy regulation and confirms the EU’s toughening stance on the issue of consent in the digital sector.

Businesses should examine website cookie policies and banners

While awaiting the new e-Privacy regulation, companies operating online in the EU must review and revise their cookie policies. Many companies will have to revise their cookie banners to add the functionality of express opt-in consent and state the duration of the cookie sets.

Companies must also disclose whether third parties have access to the cookies, and, if so, the identity of those third parties.

Some may believe these more detailed cookie consent boxes will impair user experience; however, companies should be cautioned not to avoid these more detailed requirements.

Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on this issue.