Under the ePrivacy Directive, websites are required to obtain visitor consent to cookies (except cookies which are necessary for the service), and to provide visitors with clear and comprehensive information about cookies. In this case, both Regulation (EU) 2016/679 (GDPR) as well as Directive 95/46/EC (Data Protection Directive) were relevant. The Advocate General confirmed his view that the requirements for consent are the same under the Data Protection Directive and the GDPR.
In applying these requirements, the Advocate General explained as follows: "requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent" under the Data Protection Directive and now enshrined in the GDPR, taking into account the definition of "consent" and the statement in recital 32 that 'consent should be given by a clear affirmative act'.
On the second question referred by the CJEU, the Advocate General found that that the clear and comprehensive information that must be provided to a website visitor under the ePrivacy Directive includes (among other things): (a) the duration of the cookies; and (b) third party access to cookies. This will be of interest to websites which do not currently set out cookie duration in their cookies policy.
This matter was referred to the CJEU by the German Federal Court of Justice to clarify how EU data protection law on cookies and consent should be interpreted. We now await the ruling of the CJEU, which is expected to issue its judgment in the coming months. The non-binding opinion of the Advocate General is available in English here.