The Court of Justice of the European Union has ruled that website which give information about ‘cookies’, rather than asking for consent are no longer legal.
Cookies are small files stored on a user’s computer by a website which hold data on the user should they later come back to the site.
Cookies are used to keep users signed in to online service and remember settings, but can also store personal data and therefore fall under the GDPR.
Website owners have typically responded to the GDPR rules by adding pop-ups to their site which let users know cookies are in use.
But the recent ruling in the Court of Justice of the EU found that websites which simply give information, rather than requiring explicit consent, are not legal.
A statement the Court of Justice said:”The Court notes that consent must be specific so that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.
“In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.
“That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data.
“EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.”
Though the ruling comes from an EU court, the UK has committed to mirroring GDPR in its own law should Brexit happen.