Pre-checked cookie consent is not in accordance with GDPR


According to the European Union Court of Justice, the pre-checked box indicating consent to the placement and display of cookies on a user’s device is not in compliance with GDPR. The user must actively and expressly agree to the placement of the cookie by checking the box, and not vice versa. In this case, it is irrelevant whether the information stored or viewed is personal data.

The aim of the EU law is to protect internet users from an intrusion into their private sphere, in particular from invisible identifiers or other devices entering a user’s device without their explicit consent and knowledge. For the consent for the storing of cookies to be valid, it must be granted by active action, i.e. by the user checking the box. Furthermore, the Court of Justice also dealt with the service provider’s obligation towards information that must be provided to the user. These obligations include the functionality of cookies, and the possibility of third parties accessing the data collected.

The EU Court of Justice has begun to address the issue of cookies at the request of the German Federal Court of Justice, which is dealing with the case of an advertising lottery on the Planet49 GmbH website. To participate in this lottery, Internet users were required to provide their postal code, which redirected them to a website where they were required to enter their name and address, and had a pre-checked box for accepting cookies. However, according to a subsequent ruling by the Court of Justice of the EU, consent by way of a pre-checked box is not sufficient, and the box must be checked by the user’s own action.

This ruling of the Court of Justice of the EU is legally binding on all EU Member States, and the use of cookies must continue to take into account all the requirements set by GDPR.