Module 8 · Web cookies, Article 5(3) & the Planet49 ruling

A cookie is a text file on a device; cookie data is personal data (Recital 30) and processing is subject to the GDPR. ePrivacy Article 5(3) requires prior, informed consent to store/access info on terminal equipment; strictly necessary cookies are exempt. Implied consent (continued browsing) is no longer acceptable - consent must be a specific, informed, unambiguous, affirmative act. The Planet49 ruling (CJEU, Oct 2019) confirmed cookie consent needs active behaviour.

A web cookie is a text file stored on a device; cookie data is personal data (Recital 30), so processing is subject to the GDPR. ePrivacy Article 5(3) requires prior, informed consent to store or access information on terminal equipment; strictly necessary cookies (and transmission-only) are exempt.

Post-GDPR, implied consent (continued browsing) is no longer acceptable - consent must be a specific, informed, unambiguous, affirmative act. The Planet49 ruling (CJEU, October 2019) confirmed cookie consent must be active behaviour, applies even to non-personal data, and must inform about cookie duration and third-party access. See also the EDPB Cookie Banner Taskforce and Guidelines 2/2023 on Article 5(3) technical scope.

Key terms - quick answers

What is “Planet49”?

CJEU ruling (October 2019) confirming cookie consent must be active behaviour, applies even to non-personal data, and must inform users about cookie duration and third-party access.

What is “Strictly necessary cookies”?

Cookies essential to provide a service the user requested (and transmission-only cookies); exempt from the Article 5(3) consent requirement.

What is “Implied consent”?

Treating continued browsing as agreement; no longer acceptable post-GDPR - consent must be a specific, informed, unambiguous, affirmative act.