The European Court of Justice has issued a ruling that under existing privacy laws, such as the 2002 ePrivacy Directive and the General Data Protection Regulation, a user must provide active consent before a website operator may place or access tracking cookies on a user’s device. There are three key components to the court’s decision: first, a website operator that wishes to use tracking cookies must fully explain the cookies it wishes to place on a user’s device, including both the duration a cookie operates and the extent to which third parties can access that cookie; second, website operators may not rely on a user’s active consent to one operation to infer consent to cookies; finally, consent must come in the form of an active selection by the user.
In the 18 months since GDPR went into effect, many website operators have continued to rely on “opt-out” or implied user consent – e.g., consent implied via “cookie banners” or pre-checked “I consent” boxes. This summer, the United Kingdom’s Information Commissioner’s Office (UK ICO) released guidance that would require active consent for cookies. The Court’s ruling finds decisively in favor of an “opt-in” requirement.