Ready for the new Google Consent Mode v2? Learn more »

ECJ judgment and cookie consent: solutions for legally secure data protection

At the latest since the General Data Protection Regulation (GDPR) came into force, you as the operator of a non-private website have had to observe important data protection aspects. The question of how to deal with cookies was initially controversial. With its judgment (October 1st, 2019), the European Court of Justice (ECJ) made specific provisions regarding cookies with regard to consent to processing. Consent to the use of cookies is also known as cookie consent. Consent Management Providers (CMPs) offer simplification in the legally secure design of the use of cookies. Sophisticated cookie solutions work automatically and enable users to allow the type and scope of cookie use.

ECJ judgment and the cookies: legal meaning at a glance

The background to the ECJ ruling is the Planet49 legal matter. Under file reference no.: C-673/17 there is now clearer information on how consent to the use of cookies should be designed. In principle, the visitor to a website must be able to voluntarily and expressly agree to the use of cookies. According to the judgment of the ECJ on cookies, the use and processing of certain cookies is only permitted after consent has been given. This does not apply to cookies that are absolutely necessary for the operation of the website.

In the judgment of the ECJ on cookies, the European Court of Justice explains that the ePrivacy Regulation already provides for mandatory consent to cookies that are not absolutely necessary (compare Art. 5 Para. 3 ePrivacy Directive). In principle, this statement by the ECJ on cookies is already known from previous judgments.

It should be noted that the well-known § 15 para. 3 TMG (Telemedia Act) is not to be understood as an implementation of the ePrivacy Directive. Likewise, neither an interpretation of the TMG in accordance with the directive nor a direct application of the ePrivacy Directive can be considered. Therefore, the use and collection of cookies is fundamentally subject to the GDPR . According to the GDPR, the use can be based on a legitimate interest or on consent (compare (Art. 6 Para. 1 lit. a GDPR). Since this alone does not result in a mandatory requirement for consent, the ECJ refers to the ePrivacy Directive.

Judgment of the ECJ on cookies and its consequences: Consent to use

Effective consent is in practice tied to certain requirements as a result of the ECJ judgment on cookies. The ECJ has made essential statements on cookies with regard to the effectiveness of consent to their use. These relate to the old and the new data protection law in accordance with the GDPR.

In principle, it follows from the judgment of the ECJ on cookies that consent to the use and processing requires active behavior on the part of the user . If there is no active behavior, it is unclear whether users have sufficient knowledge of the situation. It follows that one already
previously ticked the checkbox for cookies cannot represent effective consent . In the sense of an actual opt-in, the visitor must become active himself and give his consent by clicking so that cookies can be collected and processed according to the ECJ ruling.

Furthermore, with regard to cookies, according to the ECJ ruling, consent generally requires separate and non-preset click options for all conceivable cases. No consent for specific cases can be derived from a pure send button.

Furthermore, the judgment of the ECJ on cookies means that, taking into account the ePrivacy Directive, it must be emphasized whether the cookie information represents personal data or not. The directive thus has a regulatory area that even goes beyond data protection law. However, legal experts point out that the ePrivacy Directive has not yet been fully implemented in Germany.

As a result of the judgment of the ECJ on cookies, you as the operator of a website should also provide precise information about the use of cookies. The information required in connection with the cookie consent includes, among other things, the processing time of the data. Likewise, as a result of the judgment of the ECJ on cookies, information on access to cookies by third parties must be communicated to visitors. This also includes precise information about the recipients of the data or the categories of recipients. At the latest since the ECJ judgment, the visitor must know which advertisers are processing the collected data.

Importance and necessity of cookie consent for website operators

Almost every commercial website collects data. This includes not only operationally necessary data, but in most cases also data that, according to the ECJ cookie judgment, requires the express consent of your visitors. Even the use of the simplest analysis tools is associated with the collection of numerous data and the creation of corresponding cookies. A common example is the Google Analytics tool. This form of data collection also occurs when someone places a widget on social media. Therefore, every operator of a website that has customers within the GDPR area (EU and beyond) relies on cookie content management . According to the ECJ cookie ruling, legally compliant operation of the website is only possible if correct handling of the cookie consent is guaranteed.

Cookie consent in practice: implementation as an opt-in

The judgment of the ECJ on cookies already has clear and concrete effects. This results in a need for action for website operators. This concerns the type and design of the cookie consent, i.e. the express consent to its use. The information to be communicated to users about the use of cookies is also affected.

In this context, consent must be designed as a real opt-in in practice . This means that an active action by the user is required to consent. Basically, since 2009, EU data protection guidelines have provided for visitors to be asked for their consent. In the past, however, website operators could interpret this requirement in the form of an opt-out . This means that cookies were generally set without the user having to do anything. The user

could object to the use of cookies, but had to take the initiative to do so. This changes with the judgment of the ECJ on cookies: the transition to an opt-in provides that the website generally does not set cookies unless the user opts for them. As a result, cookies can only be set at all if the visitor has given their consent. Accordingly, consent to cookies according to the ECJ may not be obtained by ticking a box that has already been set in advance .

It is therefore advisable for companies and website operators in general to adapt to the judgment of the ECJ on cookies as quickly as possible and to take appropriate precautions for legally secure cookie content. Consent management solutions, which both inform the user comprehensively about the use of cookies and also request his express consent, make things significantly easier for website operators.

Cookie consent solutions: standards and how they work

A framework developed by IAB Europe (Interactive Advertising Bureau) is available for consent to the setting and processing of cookies: it is the Transparency and Consent Framework (TCF) , which is establishing itself as the standard for cookie consent Has. The aim of the development of this framework is a comprehensive standardization in the consent question . The first variant of the framework was presented in April 2018. The current version TCF 2.0 followed in May 2020. Especially in view of the ECJ cookie judgment, the framework is of great importance, as it makes it easier to obtain the necessary consent. More precisely, the IAB’s claim is to precisely understand the information about a user’s consent to cookie processing. This affects the entire delivery chain of cookie use. In most cases, multiple service providers are involved in generating multiple cookies. These mostly relate to advertising banners and other marketing measures. All parties involved in this process are dependent on information about whether or not consent has been given to the cookie processing.

On the one hand, as part of the cookie consent management based on the IAB framework, it is determined whether a user has given their consent to the use of cookies at all. In a second step, the Consent Manager identifies which specific consents the user has given on the consent banner. Visitors have the option of agreeing to or rejecting different usage and processing purposes for the cookies. Based on the consent structure , a cookie consent manager creates a so-called consent string, which in turn is created in a cookie. Based on this consent string, other parties (e.g. other consent management providers) also have a way of finding out the consent of a visitor.

CMP: Consent management solutions for websites and their benefits

The benefits of using a good consent manager are numerous for website operators. The legally secure design of the consent to cookies according to the ECJ can thus be guaranteed. Every good website aims to provide the best possible user experience. The needs of visitors should be satisfied so that they stay on the site. The most important aspects of long retention include a high acceptance rate and a low bounce rate. A good consent management provider contributes to minimizing the bounce rate and thus increasing the acceptance rate. It thus contributes to a good performance of the website. Customers can only be won and permanently retained on a website if the bounce rate on the website is low.

With a well thought-out consent management solution, you not only ensure compliance with the requirements of the ECJ cookie ruling, but also have a real-time overview of the current acceptance and bounce rates. The behavior of website visitors, customers and potential customers can be understood. From this, conclusions can be drawn about possible improvement potential.

An international orientation of the consent banner is a matter of course with modern cookie consent solutions. The pop-up automatically appears in the language of the GDPR country from which visitors access your website. The consent management provider displays the information in a total of 29 languages. Furthermore, a CMP offers responsive adaptation to the end device used by visitors. The cookie consent solution reacts to aspects such as screen size and operating system (e.g. iOS or Android) and shows visitors an optimized display.


The judgment of the ECJ has undoubtedly complicated data protection practice for website operators. In addition to technical questions, design aspects and, above all, the legal dimension of transparent data processing must be taken into account when designing a legally compliant cookie banner. What website operators in particular give the impression of patronizing guidelines and specifications ultimately serves the users as interested parties and customers. In this sense, online dealers, publishers or agencies should see the ECJ ruling as an incentive. Website visitors know more and more about the scope of data transfer and demand maximum clarity and transparency in cookie management. From this point of view, website operators can only benefit from a clever consent management system in customer contact – through more trust in connection with clear usability.

Articles on similar topics:

more comments

EDPB opinion on pay or consent model
Legal, News

The latest decision of the EDPB on “consent or pay” models for online platforms

The Dutch, Norwegian and German (Hamburg) regulators asked the European Data Protection Board (EDPB) for guidance on whether large online platforms can implement ‘consent or pay’ models for behavioural advertising based on valid and freely given consent. This was prompted by Meta’s introduction of a subscription model in October 2023, where users were given the […]
New regulations US 2024

New US data protection laws come into force in 2024: Update your US-specific privacy settings

In the United States, new data privacy laws will take effect in the second half of 2024 – in Florida, Texas, Oregon and Montana . Companies that operate in these states or have customers in these states will need to review their data privacy practices to ensure compliance with the new data privacy laws. To […]