Internet users must actively consent to companies storing cookies that are used to track online browsing behaviour, the European Court of Justice said on Tuesday in a ruling that could significantly effect ePrivacy regulation.
The ruling stems from a 2013 case when the German Federation of Consumer Organizations took legal action against online lottery company Planet49, which had a pre-ticked checkbox to authorise the use of cookies.
The cookies โ data sent from a website and stored on a userโs computer โ collected information to help target advertisements for products offered by Planet49โs partners.
The consumer organisation argued this was illegal because the authorisation did not involve explicit consent from the user.
The German Federal Court of Justice asked for guidance from the EUโs highest court to rule on the case in relation to EU laws on internet privacy. The EU court sided with the German consumer group, saying EU law aimed to protect consumers from interference with their private lives.
โA pre-ticked check box is therefore insufficient,โ the court said in a press release, adding that cookie consent must be specific and explicit and that clicking a button to participate in a game or browsing a website, and through that allowing cookies, was not enough.
Luca Tosoni, research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo said in a statement that the ruling is โlikely to have a significant impact on the ongoing negotiations on the ePrivacy regulation which is set to regulate cookie usage.โ
Several of the largest internet companies, such as Facebook and Twitter currently have implicit cookie consent, where by using the site, consent is deemed to have been given.
Facebook was not immediately available for comment and Twitter declined to comment.
The case predates General Data Protection Regulation (GDPR) โ the May 2018 internet privacy regulations that stipulate how companies must inform users about how their personal information is gathered.
The EU court also ruled that service providers had to fully inform users, including how long the cookies would operate for and whether third parties would have access to gathered data.
REUTERS