Europe’s highest court is not satisfied with a pre-ticked box.

On Tuesday, judges at the Court of Justice of the European Union (CJEU) ruled that websites must obtain explicit consent from users in order to collect their personal data.

In their decision, the judges ruled it is not enough to flash a pre-ticked box in front of people to have them consent for their digital information to be collected. Instead, websites must ask users to actively opt in to sharing their data.

The ruling from the Luxembourg-based court dealt a blow to search engines, social media platforms and other websites that rely heavily on such boxes to obtain consent with minimal input from people across the 28-country bloc.

The ruling, which will apply across the European Union, originated in Germany where a group of consumer organizations filed a lawsuit against Planet 49, a local website that hosted an online lottery.

By prompting users to make a proactive choice, the ruling may lead people to deny consent and potentially deprive websites of personal data that is now the lifeblood of the digital economy.

The ruling is the latest from Europe’s highest court that aims to rein in tech companies’ activities. On Thursday, the same judges will rule if Facebook should be held responsible for removing defamatory content from its global platform or merely from the country where the complaint was filed.

The ruling also marks a victory for privacy campaigners who have pushed back against the use of so-called cookies, or technology that allows firms to collect information on people’s digital activities.

Case born in Germany

The ruling, which will apply across the European Union, originated in Germany where a group of consumer organizations filed a lawsuit against Planet 49, a local website that hosted an online lottery.

To participate in the sweepstake, users needed to check two boxes, one of which had been pre-checked to allow the use of cookies. To revoke consent, the user needed to actively uncheck the box.

That was incompatible with Europe's tough privacy standards, the German consumer advocates argued.

On Tuesday, the CJEU sided with them, fueling a debate over how much say people should have over how their data is collected, and exactly how consent should be granted.

“The court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent,” the judges wrote in a statement.

As a new European Commission prepares to take office November 1, consumer protection groups and Silicon Valley companies are ramping up lobbying around several planned pieces of legislation — including the so-called ePrivacy Regulation, which aims to set privacy rules for online communications — that will affect how digital information is collected and managed.

The court’s ruling “spells it out for the industry and calls for clear rules on confidentiality of our communications," said Diego Naranjo, head of policy at EDRi, a consumer rights group. “EU member states need to finally move forward with legislating this practice, and take the much-needed ePrivacy Regulation out of the EU Council’s closet.”

The ePrivacy Rgulation has been stuck in negotiations between national interests at the Council of the European Union.

Several lawsuits argue that websites are bypassing new data protection rules, notably by making access to online services such as Google and Facebook conditional on providing consent for data gathering.

“The ruling is an important sign for the protection of digital privacy,” Heiko Dünkel, the German consumer organizations’ legal officer, said in a statement. “Tracking cookies enable website operators and third-party providers to make a comprehensive evaluation of the surfing and usage behavior of customers.”

A representative for Planet 49 did not immediately respond to a request for comment.

In its ruling, the Luxembourg-based court also said that selecting a button to participate in a lottery was not sufficient to be considered valid consent. Instead, websites must give users sufficient information on what will be done with their collected data and what steps they can take to limit it.

“The information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies,” the judges concluded.

While the ruling represents a win for privacy campaigners, it not clear how it will be enforced or whether it will lead to an increase in so-called pop-ups prompting users for consent to have their data gathered. Europe’s existing rules — known as the cookie directive — were criticized for bombarding users with such pop-ups, which many people agree to without reading the fine print.

Tuesday’s judgment “indicates a direction in how the laws are moving,” said Luca Tosoni, a privacy researcher at the University of Oslo.

Under the EU’s new data protection rules, which came into force in May 2018, companies faced a new obligation to detail what information they were collecting and what other firms would be given access to the information.

But several lawsuits, including one from Austrian privacy campaigner Max Schrems, argue that websites are bypassing those obligations, notably by making access to online services such as Google and Facebook conditional on providing consent for data gathering. Both companies deny any wrongdoing.

Rulings on Schrems’ complaints are expected to be published next year.

Tuesday’s judgment “indicates a direction in how the laws are moving,” said Luca Tosoni, a privacy researcher at the University of Oslo. “The degree of autonomy that is given to people over how they are able to give their consent is rather big.”