Is your use of website cookies currently lawful?

Photo of a person typing on a laptop.

Photo by Glenn Carstens-Peters.

Cookies and Cookie statements have become second nature in this current digital age. Unfortunately, a ruling from the Court of Justice for the European Union (CJEU) in October of 2019 has meant that many companies have been breaking the law for the last seven months. These seemingly harmless files have been at the centre of a major court ruling that has so far slipped under the radar for many corporations. The new ruling clarifies how cookies should be managed and the subsequent impact on cookie statements. As a result, if you have not reviewed your cookie policy since October of 2019, you may no longer be operating under the law.

The Planet49 Case

The reason behind all this involves a German lottery service called Planet49 GmBH. In order to enter the lottery, Planet49 presented the user with two checkboxes. The first one, unchecked, requested consent for promotional information to be sent to the user by post. The second, pre-checked, asked data subjects to consent to the use of cookies from a third-party web analytics firm.


To enter the lottery, users were forced to consent to being sent promotional information and the lottery terms and conditions stated that users could opt-out of the use of third party cookies if they manually unchecked the box.

The Ruling

A German federal consumer rights group (Bundesverband der Verbraucherzentralen) believed that the requested declarations of consent by Planet49 did not satisfy the relevant requirements of the German data protection laws. As a result the CJEU made the following ruling:

  1. A pre-checked box would not offer consent that was legal under the e-Privacy Directive and the GDPR. The GDPR states that pre-checked boxes or indeed inactivity should not be considered or assumed as valid consent. A positive affirmative action by the data subject is needed.
  2. It does not matter what information a website cookie contains; all website cookies are considered as part of a person’s ‘privacy sphere’ whilst online; therefore, all website cookies, regardless of function, are classed as personal data.
  3. Website users must be provided with information on the duration of cookies and whether third parties have access to them.

This clarification by the CJEU invalidated a lot of existing cookie statements. If you have not checked your cookie statement since October 2019, we suggest that you research to ensure that your organisation is managing cookies in a legal fashion. To find out how Tacita can help you to remain GDPR compliant, please get in contact with a member of our team using the forms below.

About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance by undertaking independent external GDPR assessments in a cost-effective manner with minimal disruption to the client. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at https://www.tacita.io/

Send us a message

Telephone: 020 3998 9504
Email: contact@tacita.io

To see how we use your data, see our Privacy Notice.