The European Court of Justice has ruled that companies must acquire active and explicit consent in order to install cookies and track users for advertising, according to Bloomberg.
The ruling states that the pre-checked boxes offered by many websites do not qualify as the active consent required by European law. Under the General Data Protection Regulation (GDPR) that went into effect last year, companies could be issued hefty fines for failing to acquire proper consent when collecting user data.
According to a press release from the court:
“EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.”
Cookies are pieces of code that can allow websites to track user activity for targeted advertising, in a business model that is widespread throughout the internet. Even in Europe under the GDPR, compliance and enforcement have been uneven, despite recent clarifications from national data protection authorities. Many of the largest platforms on the internet, including Facebook and Twitter, consider
The case actually predates the GDPR. In 2013, the company Planet49 set up a lottery for promotional purposes, showing users a window with a pre-checked box to allow cookies to be installed. Users had to actively opt-out to revoke consent, by unchecking the box. Planet49 was using the data collected from the cookies to target ads for its partners’ products.
The German Federation of Consumer Organizations challenged the practice in a German court, which ultimately asked for guidance from the Court of Justice in 2017.
On Tuesday, the court ruled against the practice. Furthermore, it also said that bundling consent with other agreements, as in the Planet49 lottery, is a violation of EU law. They added that when asking for consent, websites must provide information on the tracking, such as how the data will be shared and for how long the cookie will track the user.
Luca Tosoni, a University of Oslo computers and law researcher, told TechCrunch:
“Before the entry into force of the GDPR, the conditions for consent were interpreted differently across Europe. Today’s judgment is important as it brings some clarity on what should be considered valid consent under EU data protection law.”