Unsurprising considering the spirit, if not the letter, of the EU’s data privacy regulations: the European Court of Justice has ruled that pre-checked boxes giving consent to storing non-essential cookies with a user are not valid.

According to a release from the Court of Justice of the European Union in Luxembourg, internet users must give active consent to companies looking to store cookies that track browsing behaviours. The decision is expected to have a significant effect on the ePrivacy regulation, which are expected to be implemented later in 2019.

The ruling comes from a 2013 German Federal Court case – therefore pre-dating GDPR – when the Federation of Consumer Organisations in Germany took action against Planet49, an online gambling company, that was using pre-ticked checkboxes to garner consent for the storing of cookies that would help Planet49’s partners target their products and services to the site’s users.

In that case, the German court ruled that, because there was no explicit consent from users, this practice was illegal. This led to the court asking for guidance from the top EU court to rule at the level of EU law, which it did, according to the 2002 directive on privacy and electronic communications.

“A pre-ticked checkbox is therefore insufficient,” the release says. “That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.”

It added that service providers must fully inform users, including how long the cookies would be operative, and whether partners would have access to the data they yield.

Legal scholars have suggested that the ruling is likely to have a significant impact on the ongoing negotiations over the ePrivacy regulation, which will impact cookie usage. Much of the online industry is, for fairly obvious reasons, lobbying heavily against a regulation that would limit both advertisers and publishers’ online data gathering.

Ironically, some privacy campaigners have pointed to the CJEU’s own site, which has pre-checked boxes for non-essential cookies, such as Think Privacy AB founder, Alexander Hanff, who filed a complaint.

“The Court has made clear that consent should always be manifested in an active manner, and may not be presumed. Therefore, online operators should ensure that they do not collect consent by asking users to unclick a pre-formulated declaration of consent,” said Luca Tosoni, a research fellow in computers and law at the University of Oslo, speaking to TechCrunch.

Sourced from CJEU, Alexander Hanff, TechCrunch.