Today, the EU’s highest court said this:
In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent.
This is a game-changer for cookie consent. At the moment most websites will present you with a cookie notice that is designed to make you click ‘accept’ just to make it go away.
The GDPR says that you can only drop cookies without consent if they are essential to make your site work.
Behind the scenes, there are, in many cases boxes that are already checked outlining the types of cookies that you will get just by clicking ‘accept’.
This sneaky tactic is technically allowed under GDPR because the regulation is somewhat vague on what actually constitutes consent — the practices upheld across the web at the moment are a product of a very questionable interpretation of what the regulation outlines as getting valid consent from a user.
This new ruling makes it clear that a pre-checked box does not constitute consent. This has the potential to change everything — many websites stay afloat just from people accepting their cookies. There’s a lot of money in third-party tracking.
If you can’t pre-check boxes for users yourself anymore, they will simply have to check them themselves. That is highly unlikely, of course. Websites will either have to find another way of sneaking those cookies in, or simply try a more transparent approach…