Tech & Sourcing @ Morgan Lewis


A recent ruling by the Court of Justice of the European Union (CJEU) established that companies seeking to store “cookies” that are used to track online browsing behavior must obtain “active consent.” The ruling is likely to cause angst among companies, which often maintain websites that are not set up to obtain active consent, as well as with internet users who are increasingly frustrated by having to continually provide consent while visiting websites.

The ruling was prompted by a dispute between the German Federation of Consumer Organizations and an online lottery company, Planet49, which had a pre-ticked checkbox to authorize the use of cookies, which help target advertisements for products offered by Planet49’s partners. The German Federation of Consumer Organizations argued that because the authorization for cookies did not require explicit consent, it was illegal. The CJEU agreed.

The CJEU interpreted the EU law on the protection of electronic communications privacy. The court held that the consent a website user must give to the storage of and access to cookies on his or her equipment “is not validly constituted if the storage of information, or access to information already stored in the website user’s terminal equipment, is permitted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.”

The CJEU noted that specific consent must be obtained; thus, a pre-ticked checkbox is insufficient. Several of the largest internet companies currently have implicit cookie consent on their websites, whereby consent is deemed to be given in simply using the website. This ruling would require the companies that use this “deemed acceptance” system to implement changes in order to obtain specific consent from each user, or risk a fine under EU privacy laws if they do not obtain valid consent.

In addition to requiring that specific or active consent be obtained, the court explained:

Article 5(3) of Directive 2002/58 must be interpreted as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

We believe that based on this ruling, the negotiations in Brussels on the Eprivacy Regulation under the Finnish Presidency of the EU Council will gain momentum.

However, as mentioned in our recent blog post, there are still various open issues in the proposed Eprivacy Regulation. For instance, users will have to be reminded (probably every 12 months) of their right to withdraw their consent to the processing of electronic communications content or metadata, unless users request not to receive these reminders. As this requirement will be burdensome and create even more email traffic for the users, various exceptions are being discussed, e.g., for consent for cookies or direct marketing by email or SMS/text message.