In the decision’s reasoning, the CREU followed the view of the Article 29 Working Party, which has now been replaced by the European Data Protection Board. It states that a user must be expected to behave actively and not passively if the normative provision requires the user to give ‘consent’. Consent given through a preselected checkbox does not imply any active behavior on the part of the user of a website.
It is questionable what impact this CJEU ruling will have on the planned e-privacy regulation. The previous draft provides that consent may also be given, as far as technically possible and feasible, through the appropriate technical settings of software which enables access to the Internet (i.e. the Internet browser).
It should also be mentioned that the CJEU expressly did not have to deal with the “prohibition of coupling” and therefore made no statement on it. The prohibition of coupling prohibits making the performance of a contract, including the provision of a service, dependent on the consent to the processing of personal data, insofar as this data is not necessary for the performance of the contract. This would be the case, for example, if a website is made inaccessible to users who do not consent to the processing of their personal data. It is therefore currently not clarified whether such a coupling would be permissible.