EU’s top court on Tuesday ruled that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.

Under the EU privacy law that took effect in May last year, companies risk hefty fines for inadequately informing users about what data they collect about them and for what purposes, or for failing to actively seek their consent.

Tuesday’s case has its origins in Germany in 2013, when a company called Planet49 organized a lottery for promotional purposes. To access the website, people faced a pre-ticked box that would allow placing cookies on their computer.

The cookies in question aimed to collect information for the purposes of advertising Planet49’s partners’ products.

The German Federation of Consumer Organisations challenged this as unlawful before a German court, which in 2017 sought the EU judges’ guidance on the scope of consent under the bloc’s data protection rules. To refuse consent, users had to un-tick the box.

"The Court notes that consent must be specific so that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies. Furthermore, according to the Court, the information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies," teh ruling reads.