Skip to main content
Back to Guides
Compliance6 min read

The Court Rulings That Shaped Cookie Consent in the EU

Most of what makes a cookie banner legal in Europe was decided by the Court of Justice, not written in a statute. These five CJEU judgments, from Planet49 to IAB Europe, are the case law your banner has to satisfy.

If you want to understand what a compliant cookie banner has to do in Europe, you can't just read the GDPR and the ePrivacy Directive. The working meaning of "freely given, specific, informed and unambiguous" consent has been filled in case by case by the Court of Justice of the European Union (CJEU). Its judgments bind every national court and regulator, so they're the closest thing to a rulebook the CMP industry has.

Here are five rulings that did the most to shape modern cookie consent: what each decided, and the practical rule it created. Every case number links to the official record on EUR-Lex so your legal team can check the source text.

1. Planet49 (C-673/17, 1 October 2019): Pre-Ticked Boxes Are Not Consent

Planet49 ran an online lottery where a checkbox consenting to analytics and advertising cookies was pre-ticked by default. The German courts sent the question to Luxembourg. On 1 October 2019 the CJEU held that consent to store or access cookies is not validly given by a pre-ticked box the user has to deselect. Consent takes an active, affirmative act, and that standard applies whether or not the information stored is personal data.

The practical rule: default-on is dead. Non-essential cookies can't fire until the user does something positive, and "continue browsing implies consent" doesn't clear the bar. Read the judgment on EUR-Lex (C-673/17).

2. Fashion ID (C-40/17, 29 July 2019): You Are Responsible for Third-Party Widgets

Fashion ID, an online retailer, embedded a Facebook "Like" button. Just loading the page sent visitor data to Facebook, whether or not anyone clicked. On 29 July 2019 the CJEU ruled that the website operator is a joint controller alongside Facebook, but only for collecting and transmitting the data, not for what Facebook does with it afterward.

The duty landed on the website operator: it has to inform users and get consent for that collection, because it's the visitor arriving on the operator's page that triggers the transfer. The practical rule: third-party embeds, social buttons, maps, video players, chat widgets, are your compliance problem, not the vendor's. If a widget sets cookies or transmits data on load, it belongs behind your consent gate. See EUR-Lex (C-40/17).

3. Orange Romania (C-61/19, 11 November 2020): The Burden of Proof Is on You

Orange Romania signed customers to mobile contracts that included a pre-ticked clause consenting to copying and storing their ID documents. On 11 November 2020 the CJEU confirmed that a customer has not validly consented where the controller pre-ticked the box, and consent is also invalid where the customer is misled about whether they can decline, or where refusing means extra paperwork the consenting user doesn't have to complete.

The judgment underlined that the controller has to be able to demonstrate that consent was validly obtained. The practical rule: friction asymmetry is unlawful, and the evidentiary burden is yours. If accepting is one click but refusing means hunting through a settings panel, the consent isn't free, and you're the one who has to prove otherwise. See EUR-Lex (C-61/19).

4. Meta v Bundeskartellamt (C-252/21, 4 July 2023): Power Imbalance Undermines Free Choice

This case came out of Germany's competition authority, but its data-protection findings matter for consent everywhere. On 4 July 2023 the CJEU held that a company's dominant market position doesn't by itself void consent, but it's an important factor in judging whether consent was freely given, because a dominant provider can distort a user's freedom of choice and create a clear imbalance. The burden of proving the consent was free sits with the operator.

The ruling also confirmed that competition authorities may weigh GDPR compliance when assessing abuse of dominance. The practical rule feeds straight into the pay-or-consent debate: the more take-it-or-leave-it the choice, and the more essential the service, the harder it is to argue consent was truly free. See EUR-Lex (C-252/21).

5. IAB Europe (C-604/22, 7 March 2024): The Consent String Is Personal Data

The Transparency and Consent Framework (TCF) is the ad-tech industry's consent plumbing, encoding each user's choices in a "TC String". On 7 March 2024 the CJEU ruled that the TC String, combined with an IP address, is personal data, and that IAB Europe is a joint controller for the processing involved in recording users' preferences, even though IAB itself can't read the string, because its members have to supply the information needed to identify users.

The joint controllership was limited to the consent record, not the downstream advertising publishers and vendors carry out. Even so, the ruling reshaped how the TCF is governed and reminded everyone that consent metadata is itself regulated data you have to handle lawfully. See EUR-Lex (C-604/22).

What the Case Law Adds Up To

Taken together, these judgments set the non-negotiable core of EU cookie consent:

  • No defaults. Pre-ticked boxes and implied consent fail (Planet49, Orange Romania).
  • No friction asymmetry. Refusing has to be as easy as accepting, and you must be able to prove consent (Orange Romania).
  • You own your third parties. Embedded widgets and pixels are yours to gate and disclose (Fashion ID).
  • Free means free. Power imbalance and coercive framing can invalidate consent (Meta).
  • Consent data is data. Even the record of a choice can be personal data with its own controller obligations (IAB Europe).

These principles are why regulators and the EDPB's guidance look the way they do, and why every fine in our GDPR cookie fines roundup traces back to one of them.

How CookieBeam Reflects the Rulings

CookieBeam's defaults come straight from this case law: nothing is pre-ticked, non-essential scripts stay blocked until the user acts, and Reject sits beside Accept with equal prominence so there's no friction asymmetry to defend. The scanner is built to catch the third-party embeds and pixels that Fashion ID makes your responsibility, and every consent event is logged so you can meet the burden of proof Orange Romania and Meta put on the controller. Case law changes; a banner built on these principles doesn't need re-architecting each time it does.

CJEU Cookie Consent Rulings: 5 Cases That Defined the Rules | CookieBeam | CookieBeam