Court case 327 O 38/25 – Court Ruling (Germany, 2025)
A German court investigated an airline for using pre-ticked consent boxes on its website, which made it easy for users to unknowingly agree to terms. The court found that this practice violated rules about obtaining clear consent. This ruling is significant for all businesses that collect user consent online, as it sets a standard for how consent should be obtained.
What happened
A German court ruled that an airline's use of pre-ticked consent boxes on its website violated data protection rules.
Who was affected
Website visitors who interacted with the airline's booking system were affected by the consent practices.
What the authority found
The court held that the airline did not obtain valid consent from users, violating GDPR's requirements for clear and informed consent.
Why this matters
This ruling emphasizes the need for businesses to ensure that consent mechanisms are transparent and allow users to make informed choices. Companies should review their consent practices to comply with legal standards.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A court began investigating an airline company (the controller) for their potential consumer, competition and data protection violations following a dispute between two companies. The controller implemented a pre-selected consent box on their website when searching for flights. While the box was initially not pre-ticked, the website automatically ticked the box if a data subject did not do so. This meant that data subjects automatically consented to the website’s terms of use by clicking the “search” button. Furthermore, the controller required data subjects to create an account when booking flights, and filled out some of the information automatically when creating an account. This was also the case if a data subject wished to only look at flights without booking. The opposing company argued that data subjects were not allowed to give meaningful consent, as the option cannot be de-selected. In addition, the controller processed data subjects’ data without a legal basis by requiring them to create an account and by automatically filling in information. The data subject argued that the controller processed data beyond what is necessary for a flight booking or search, in violation of the principle of data minimisation (Article 5(1)(c) GDPR). The controller also violated Article 7(4) GDPR by making the provision of its services conditional to the data subject’s consent. The controller argued that data subjects could easily access the website’s terms and conditions, and that the automatic ticking of the box did not force data subjects to consent. Furthermore, the controller processed only the necessary data when creating data subjects’ accounts. The court found that the controller violated the GDPR and consumer laws through its pre-ticked boxes. The court highlighted that the website misled data subjects into thinking they have a choice, when in reality the website ticked the box automatically. The court dismissed the controller’s argument that the message next to
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Related Cases (0)
No other cases found for Court case 327 O 38/25 in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case 327 O 38/25 - Germany (2025). Retrieved from cookiefines.eu
Last updated: