A recently published decision of the German Federal Court of Justice (BGH) of 28 May 2020 (Az. I ZR 7/16) makes it necessary to modify many cookie banners. Tracking cookies for analysis or marketing purposes on websites require the use of consent management tools. In addition, privacy notices must be adapted.
While only a press release on the decision was available at first, the BGH has now published the decision including reasons after a long waiting period. In view of the previous judgement of the European Court of Justice (ECJ) in this case, it is not entirely surprising that the decision of the BGH will result in a significant change in practice, possibly with major economic consequences for online marketing.
What was the previous practice?
Tracking cookies (or similar techniques) have often been used in Germany at the time of the first visit to the website and from then on have (also) processed personal data of the website users. The user was only granted a right of objection (opt-out) if he or she did not agree to the use of tracking cookies. With the help of a cookie banner and the corresponding privacy notices, the user was informed about the use of tracking cookies and consent was assumed by implicit action (e.g. further use of the website). From a legal point of view, the German Telemedia Act (TMG) was taken into account in particular, which allowed the use of user profiles on the basis of a right of objection. It had already been discussed and decided for some time that a user's consent according to the requirements of the GDPR in the sense of a prior explicit activity is not thereby obtained.
What did the BGH decide?
In the case of the German lottery provider "Planet49", the BGH decided on questions regarding the use of tracking cookies that allow data to be collected by third parties (so-called third-party cookies) in response to a complaint filed by the Federal Association of Consumer Centres and Consumer Associations (vzbv). Prior to the decision, the Federal Court of Justice had submitted specific questions to the European Court of Justice on the interpretation of relevant European regulations.
In this case, the ECJ already decided on October 1, 2019 - Case C-673/17 that an effective consent must be actively granted in accordance with the requirements of the E-Privacy Directive 2002/58/EU, but also in accordance with the former legal situation of the Federal Data Protection Act (BDSG) and the GDPR. According to the ECJ, no effective consent is given if the storage of information using cookies is permitted by a preset checkbox which the user must uncheck to refuse consent (so-called opt-out). In addition, the ECJ has ruled that information on the duration of the functionality of the cookies and on whether third parties may have access to the cookies is part of the information that the service provider must provide to the user of a website before giving consent.
In its decision of 28 May 2020, the BGH has now confirmed the ECJ's decision. According to this decision, consent can only be given effectively if the user actively sets the checkboxes. As far as the checkboxes are preset in the declaration of consent, no effective consent is given. The BGH also addressed the previously unclear legal situation with regard to Section 15 (3) sentence 1 TMG. For in this respect, it was still unclear after the ECJ ruling whether the German Telemedia Act, which is still in force in Germany, continued to allow easier handling until the German legislator amended the law. In the opinion of the BGH, however, the provision in the German Telemedia Act must be interpreted to the effect that Section 15 (3) sentence 1 of the German Telemedia Act also requires the user's active consent as described above. It follows from this that the existing legal situation in Germany already requires an explicit and active consent of the user, for which the website operator is not allowed to pre-select the checkboxes. This requirement therefore does not only arise with a change in the law of the TMG.
How do the data protection authorities proceed?
The European Data Protection Board (EDPB) has also pointed out in a separate guideline that so-called cookie-walls, i.e. tools that only allow the user to access the website if he or she has given his or her consent to the use of non-technically necessary cookies, are inadmissible. The user must therefore be able to use the website regardless of any possible consent. This statement can lead to misunderstandings, because many of the common and recommendable tools are still commonly referred to as "cookie-wall".
Consent is to be obtained effectively on the basis of Art. 7 GDPR. For this purpose, the user has informed consent, separately, voluntarily and actively to give. Furthermore, it must be noted that cookies shall not be used and data transmitted before consent is given.
How does this decision affect practice?
In our view, this leads to the following consequences:
- Before using these cookies, the user must give his or her effective consent in accordance with the requirements of the GDPR. Checkboxes must not be preset. However, consent is not required for technically necessary cookies (this is often represented in practice by a preset checkbox).
- Cookies that are not technically necessary may not be used and transmit data before consent is given.
- Consent management solutions, for example, are necessary to effectively obtain and adequately document consent and to manage changes (withdrawal of consent), etc. Certain classifications of the cookies can be made. Classifications are especially functionality, analytics and marketing.
- Avoidance of so-called cookie walls in the sense of the EDPB guidelines. The user must also be able to use the website without consent to cookies for functionality, analytics and marketing.
- The privacy notices used so far are to be adapted to the extended requirements of the BGH and ECJ, in particular functional duration of cookies and access by third parties.
- It follows from the decision of the BGH that an immediate change is recommended. Individual actions by consumers or consumer protection associations and related warnings from competitors as well as measures by the data protection authorities can now be expected immediately.
A different and certainly permissible design of the cookie management solution would therefore be for the user to be shown the selection options for all categories of cookies on the first page of the new cookie banner and to be able to accept all cookies directly with one click or to make his selection with several clicks ("Alternative 2").
Neither the German data protection authorities nor the courts have (currently) commented on this issue. When using alternative 2, it can be assumed that the cookie banner and thus the obtaining of consent is permissible. Alternative 1 has been classified as inadmissible by the Danish data protection authority because there is a certain compulsion to give consent to all cookies. This decision by the Danish data protection authority does not have a binding effect on German companies, but it could have a signal effect on the view of the German data protection authorities.