Pre-checked boxes aren’t valid for consent nor cookies under EU data protection law


In October 2019, the European Court of Justice held that in order to store cookies on user devices, the users must actively consent and that pre-checked checkbox that users must actively deselect is not a valid form of consent. The European Court of Justice also stated that all types of cookies require active consent, not just cookies that containing personal data. However, the European Court of Justice did not discuss in more detail the application of active consent in other situations. For example, the Court did not discuss whether the active consent requirements applied to essential and nonessential cookies or solely applied to advertising cookies. Also, the Court did not discuss other forms of consent such as the use of cookie banners.

On March 21, 2018, Advocate General Szpunar, published his opinion in case C-673/17, deeming that the requirements for giving consent are the same under Directive 95/46/EC and Regulation (EU) 2016/679 (the so-called GDPR) and that there is “no difference whether we are dealing with the general question of processing of personal data or the more particular one of storing of and gaining access to information by way of cookies.”

In this case, AG Szpunar answered what precisely are the requirements of a user’s informed consent, which must be freely given. Specifically, whether there is a difference regarding the processing of personal data (only) and the setting of and access to cookies?

The questions arose because, in order to participate in a lottery organized by Planet49, an internet user was confronted with two checkboxes which had to be unclicked before he could hit the ‘participation button’. One of the checkboxes required the user to accept being contacted by a range of firms for promotional offers, another checkbox required the user to consent to cookies being installed on his computer.

Judicial proceeding. The applicant in the main proceedings, the Bundesverband der Verbraucherzentralen (German Consumer Organizations, Bundesverband) deemed that the declarations of consent used by Planet49 did not satisfy the requirements set forth by the applicable German data protection law. The Bundesverdband instituted proceedings before the Landgericht Frankfurt am Main (Frankfurt am Main, Regional Court) requesting Planet49 to stop using the abovementioned clauses. The Landgericht Frankfurt am Main allowed certain claims to proceed and dismissed the remainder of the application. Further to an appeal on the merits before the Oberlandesgericht Frankfurt am Main (Frankfurt am Main, Higher Regional Court), the Bundesgerichtshof (Federal Court of Justice) was seised by way of an appeal on a point of law. The Bundesgerichtshof considered that the appeal hinged on the interpretation of Articles 5(3) and 2(f) of Directive 2002/58/EC, read in conjunction with Article 2(h) of Directive 95/46/EC, and of Article 6(1)(a) of Regulation 2016/679/EC and referred to the Court of Justice for a preliminary ruling.

Preliminary questions. Both questions referred by the Bundesgerichtshof for a preliminary ruling related to the giving of consent to the storing of information, and the gaining of access to information already stored in the user’s terminal equipment (cookies).

According to the AG Szpunar, the relevant EU legal framework concerns (i) Directive 95/46/EC, specifically Article 2 of the Directive, which defines “consent” as “any freely given specific and informed indication” of the data subject wishes, by which the data subject signifies his agreement to personal data relating to him being processed;” (ii) Directive 2002/58/EC (ePrivacy Directive), where the concept of “consent” corresponds to the one described above; (iii) Directive 2009/136/EC (Cookie Directive), which refers to the obligation to provide information and the right to refuse authorization to store information on the equipment of a user, or gain access to information already stored; and (iv) the GDPR, which states that “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

On freely given and informed consent. Interestingly, AG Szpunar highlights that consent shall be:

  • Active. Consent needs to be manifested in an active manner. “Ambiguity can only be removed with active, as opposed to passive, behaviour.”
  • Separate. “The activity a user pursues on the internet (reading a webpage, participating in a lottery, watching a video, etc.) and the giving of consent cannot form part of the same act.”
  • Fully informed. “A user must know whether and, if so, to what extent his giving of consent has a bearing on the pursuit of his activity on the internet.”

In the case at hand, AG Szpunar concluded that there is no valid consent under the applicable framework where the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent and where consent is given not separately but at the same time as confirmation in the participation in an online lottery.

The AG Szpunar stated that the principles established in his opinion were equally valid for Directive 95/46/EC as well as for the GDPR.

Finally, the AG Szpunar deemed that the clear and comprehensive information a service provider has to give to a user includes the duration of the operation of the cookies and the question of whether third parties are given access to the cookies or not. “The obligation to inform is linked to consent in that there must always be information before there can be consent.”



More on case Case C‑673/17, Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V is available at….


Advocate General Szpuna’s opinion is available at…



More on GDPR is available at…