Online companies in the EU can no longer present internet users with a pre-checked box telling them cookies will be planted on their smartphone or computer if they don’t deselect the option, under a ruling issued Tuesday.
The decision by the European Court of Justice means that users need to give “active consent”—rather than opt-out of an automatic default that would otherwise plant cookies in their device’s system.
The EU court was responding to a German court’s request for interpretation of an EU law protecting privacy through electronic communications.
It arose from a challenge lodged by a German consumer federation against a German company, Planet49, which presented users wanting to play its promotional lottery with a pre-checked cookie box.
The tracking cookies were to gather information on the users for advertising products from Planet49’s commercial partners—a common method by online companies.
But the court determined that “consent must be specific” and pressing a website button to participate in a lottery “is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies”.
The ruling comes with authorities in Europe, and increasingly in the United States and elsewhere, grappling with how to protect citizens’ privacy online as internet companies gather and cross-reference information gleaned from web use.
Cookies are small pieces of computer code that are downloaded into a user’s device to track what sites they visit, how they interact with them, and potentially other bits of information.
In Tuesday’s ruling, the EU court also ruled that users accepting cookies must be notified of how long those cookies will track them, and whether or not third parties have access to the information they gather.