Europe's highest court ruled Tuesday that companies can't rely on pre-checked boxes to obtain consumers' consent to being tracked with cookies.
Instead, the court ruled, companies can only track users who have consented by “active behavior.”
“It would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox,” the EU Court of Justice wrote. “It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited.”
The decision stemmed from a case brought by the German Federation of Consumer Organizations, which challenged the German company Planet49's data practices.
Planet49 allegedly showed a pre-checked consent box on sites with promotional games. The alleged activity took place in 2013, before the GDPR went into effect. But even before the GDPR, Europe had broad privacy laws.
The court said in a statement summarizing its ruling that users' consent “must be specific,” and that selecting a pre-checked button in order to participate in a promotional lottery “is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.”
The court added: “EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.”