Newsflash: “Cookies” only with (genuine) prior consent?
In light of the ECJ’s ruling of today, we would like to draw your attention to current developments on the use of tracking cookies for analytics or marketing purposes on websites. We expect a considerable need for changes in practice, with significant consequences for online marketing.
Practice to date
To date, in Germany tracking cookies (or similar technologies) were often set as early as at the time of first access to a website and the processing of personal (and other) data of the website users started as early as that. Users were only granted the right to object (opt-out) if they did not agree to the use of such tracking cookies. No consent pursuant to the requirements of GDPR, i.e. by a clear affirmative act, was obtained. By means of a cookie banner and a referenced data protection notice users were informed about the use of tracking cookies and it was assumed that consent was given by implied conduct (e.g. further use of the website).
Why was such practice permissible?
Following a complaint by the Federation of German Consumer Organisations (vzbv), the European Court of Justice (ECJ) in the case of the German lottery operator “Planet49” - case C-673/17 - has ruled on questions concerning the use of tracking cookies that enable third parties to collect data (so-called third-party cookies). In his final opinion, the Advocate-General of the ECJ took the view that the setting of third-party cookies (in particular for advertising and analytics purposes) that are technically not required for the use of the website requires the active consent of the user. According to the Advocate-General, this applies both according to the former legal situation under the Federal Data Protection Act (BDSG) and/or the TMG as well as under the requirements of the GDPR.
Today, the ECJ has confirmed that consent, in order to be valid in accordance with the requirements of the ePrivacy Directive 2002/58/EC, the former legal situation under the BDSG, as well as the provisions of the GDPR, must be actively given. In the opinion of the ECJ, consent is not valid if the storage of information via a cookie is consented to by means of a pre-ticked box that users have to untick if they do not want to give their consent (so-called opt-out). Furthermore, the ECJ has ruled that information on the lifespan of cookies and on any potential third-party access to cookies have to be included in the information provided by the service provider to the users of a website prior to obtaining consent. On the other hand, the ECJ did not expressly comment on the question of the applicability of the German national provisions in the TMG. However, the national regulations of the TMG in Germany on the one hand and the requirements of the ePrivacy Directive 2002/58/EC that were confirmed by the ECJ today on the other hand are contradictory.
How do the data protection authorities proceed?
Consent has to be obtained validly on the basis of Art. 7 GDPR, i.e. users must give their consent freely, specifically, on an informed basis, and actively. Moreover, no such cookies may be used and no data may be transferred before consent has been obtained.
How does the European legislation proceed?
On 18 September 2019, the EU Council Presidency published a new proposal for the E-Privacy Regulation. According to Art. 8 of the draft E-Privacy Regulation, the processing of data with the help of cookies will only be permitted if the processing is required for the provision of the respective service or if the end user has given its prior consent. The consent requirements correspond to those of the GDPR. Accordingly, the above developments are also likely to be confirmed by the proposed E-Privacy Regulation.
What are the implications for the practice?
From our point of view, this may lead to the following consequences:
- Before using these cookies, the user must give his or her consent in accordance with the requirements of the GDPR.
- Consent management solutions (or “cookie walls”) might be required in the future, that effectively obtain and adequately document such consent.
In practice, the difficult question now arises as to when the conversion should be carried out. Although the ECJ does not expressly comment on the German national provisions of the TMG, today's ruling confirms that the TMG regulations used so far, no longer comply with the applicable European law. It is therefore to be expected that the BGH will decide in favor of the plaintiff vzbv in the specific case to be decided. In addition, the German legislator is called upon to amend the legal situation.
However, it is questionable whether companies can lean back and wait until the TMG has been amended. Individual complaints by consumers or consumer protection associations and corresponding cease and desist letters from competitors as well as measures by the data protection supervisory authorities are now soon to be expected.
We will be happy to advise you, e.g. on the search and selection of a suitable consent management tool as well as on the necessary adjustments to the data protection notice.