Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

New European judgment on cookies


In its recent judgment in the “Planet49 case”, the Court of Justice of the European Union (“CJEU”) held that consent for cookies cannot be lawfully established through the use of pre-ticked boxes and that clear and comprehensive information should be given to the website users on the functionality of each cookie.

On October 1, 2019, the CJEU issued its long-awaited decision on an important case about consent for the use of cookies. The most significant points of the decision are the following:

Pre-ticked checkboxes do not constitute a valid consent

Pre-ticked boxes do not meet the requirement for an affirmative consent imposed by the ePrivacy Directive, the Data Protection Directive and the GDPR. The court held that there should be an active behavior on the part of the user. Otherwise, it is “practically impossible to clarify in an objective manner whether the user of a website has actually given his consent to the processing of his personal data  ”and “ it cannot be ruled out that the user may not have read the information attached to the checkbox or that he may not have noticed this box…”.

Based on the above reasoning and despite the fact that the CJEU did not touch upon other commonly used techniques for getting the users’ consent, it is clear that other ways of passive or implied consent of the users for the use of cookies, such as continuing the web browsing in the website, would also be considered unacceptable.

Same rules apply to all cookies irrespective of whether they store or access personal data of the users

The CJEU confirmed that the provisions on cookies of ePrivacy Directive aim “to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data”. Practically speaking, even if cookies do not collect any user’s personal data (which will be rarely the case), the website publisher should make sure that it complies with the ePrivacy Directive.

Users should be given clear and comprehensive information on the use of cookies

The CJEU explained that clear and comprehensive information should permit the user to easily determine the consequences of his or her consent. Such information should be unambiguous and clearly comprehensible to the average internet user, and sufficiently detailed to permit the user to understand the cookie functionality. Furthermore, the website publisher should provide information on the duration of the operation of the cookies and on whether third parties have access to the cookies.

What website publishers are required to do?

In view of the CJEU’s judgment, website publishers should:

  • Amend their cookie notices to include information on the duration of cookies and on third party recipients for each cookie, as well as any other necessary information required under the GDPR that would allow users to understand how each cookie functions; and 
  • Ensure that their cookie banners operate strictly on the basis of an opt-in consent, so that there are no pre-ticked boxes or other techniques of passive or implied consent.


Article provided by: Mary Deligianni (Zepos & Yannopoulos, Greece)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.