ECJ on consent requirements for cookies

European Court of Justice has decided October 1st, 2019 on consent requirements for cookies.

Text of the decision here.

Consequences for website providers

  • All use of cookies need consent by user. More abstract: if you intend to store something on the terminal device of the user, you need consent (see point 46 of decision).
  • If you want to access information already stored at users device, e.g. in cookies, you need consent (see point 62 decision)
  • Do not use pre-checked checkboxes for consent under GDPR or e-commerce directive as the do not give valid consent (see point 57 decision).
  • Content and form of consent needs to be in line with applicable data privacy law, see requirements by Art. 7 GDPR (see point 61 and 62 decision).
  • Same applies if you want to access data stored on the user’s device, e.g. in cookies, stored either through your service or by a third party service on the device.
  • These rules apply wether or not the information stored or access qualifies as personal data or not (see point 71 decision).
  • You need to inform websites users on (i) the duration and (ii) if third parties have access to the information stored by your service on the end user’s device (see point 81 decision). As you know other information is also to provide.