CJEU confirms stricter requirements for valid cookie consent
The Court of Justice of the European Union in its judgment in case C-673/17 ruled about requirements for a valid consent to the storage of cookies.
The Court ruled that the consent referred to in Article 2(f) and in Article 5(3) of Directive 2002/58 cannot validly be obtained by way of a pre-ticked checkbox which the user must deselect to refuse his or her consent. The Court did not elaborate on the requirement that consent must be ‘freely given’. The Court referred to the requirements for consent to be 'specific' and 'unambiguous' under Directive 2002/58 as well as the even more detailed wording of the GDPR. The CJUE added that Directive 2002/58’s aim is to protect the user (including natural persons acting for business purposes) from interference with his or her private sphere, regardless of whether or not that interference involves personal data.
The judgment strengthens the protection of privacy in the digital sphere of internet users. Moreover, the Court confirmed that the standard of 'cookies protection' does not depend on whether or not the user's personal data is involved. Privacy concerns the very fact of placing pieces of software on the user's 'terminal equipment'. This resembles the way in which some consumer authorities have read the notion of 'aggressive practices' under Directive 2005/29/EC on unfair commercial practices, also beyond the cookie context.