Newsflash: “Cookies” only with (genuine) prior consent?

In light of the ECJ’s ruling of today, we would like to draw your attention to current developments on the use of tracking cookies for analytics or marketing purposes on websites. We expect a considerable need for changes in practice, with significant consequences for online marketing.

Practice to date

To date, in Germany tracking cookies (or similar technologies) were often set as early as at the time of first access to a website and the processing of personal (and other) data of the website users started as early as that. Users were only granted the right to object (opt-out) if they did not agree to the use of such tracking cookies. No consent pursuant to the requirements of GDPR, i.e. by a clear affirmative act, was obtained. By means of a cookie banner and a referenced data protection notice users were informed about the use of tracking cookies and it was assumed that consent was given by implied conduct (e.g. further use of the website).

Why was such practice permissible?

Although partially approved also in other EU countries, in Germany this practice was supported by the unclear legal situation. Although pursuant to “ePrivacy Directive” 2002/58/EC consent for the use of cookies has been required since 2009, according to the German Government the legal situation in Germany was more liberal. The German Telemedia Act (TMG) allowed the use of pseudonymous user profiles on the basis of an opt-out option. Despite criticism from the German data protection authorities, this law has not yet been repealed or amended.

EJC Ruling

Following a complaint by the Federation of German Consumer Organisations (vzbv), the European Court of Justice (ECJ) in the case of the German lottery operator “Planet49” - case C-673/17 - has ruled on questions concerning the use of tracking cookies that enable third parties to collect data (so-called third-party cookies). In his final opinion, the Advocate-General of the ECJ took the view that the setting of third-party cookies (in particular for advertising and analytics purposes) that are technically not required for the use of the website requires the active consent of the user. According to the Advocate-General, this applies both according to the former legal situation under the Federal Data Protection Act (BDSG) and/or the TMG as well as under the requirements of the GDPR.

Today, the ECJ has confirmed that consent, in order to be valid in accordance with the requirements of the ePrivacy Directive 2002/58/EC, the former legal situation under the BDSG, as well as the provisions of the GDPR, must be actively given. In the opinion of the ECJ, consent is not valid if the storage of information via a cookie is consented to by means of a pre-ticked box that users have to untick if they do not want to give their consent (so-called opt-out). Furthermore, the ECJ has ruled that information on the lifespan of cookies and on any potential third-party access to cookies have to be included in the information provided by the service provider to the users of a website prior to obtaining consent. On the other hand, the ECJ did not expressly comment on the question of the applicability of the German national provisions in the TMG. However, the national regulations of the TMG in Germany on the one hand and the requirements of the ePrivacy Directive 2002/58/EC that were confirmed by the ECJ today on the other hand are contradictory.

How do the data protection authorities proceed?

Several data protection supervisory authorities also hold that pursuant to the GDPR the use of cookies for certain purposes is only permissible on the basis of the active consent of the users. The German Data Protection Conference (DSK) in its Guidance for Telemedia Providers has pointed out that, in principle, the use of technically not required cookies is only permissible with the valid consent of the user. This assessment is also shared by the French and Dutch data protection authorities as well as by the ICO in the UK. For the legal assessment of the supervisory authorities, the technical procedures used or the type of cookies used are not the decisive criterion, but rather the purpose of the processing. The authorities have divided the various potential purposes for the use of cookies into certain categories: functionality, range measurement (analytics), and (marketing) tracking. In the opinion of the data protection authorities, consent to the use of cookies is always required, unless they are technically required for the provision of the website functions.

Consent has to be obtained validly on the basis of Art. 7 GDPR, i.e. users must give their consent freely, specifically, on an informed basis, and actively. Moreover, no such cookies may be used and no data may be transferred before consent has been obtained.

How does the European legislation proceed?

On 18 September 2019, the EU Council Presidency published a new proposal for the E-Privacy Regulation. According to Art. 8 of the draft E-Privacy Regulation, the processing of data with the help of cookies will only be permitted if the processing is required for the provision of the respective service or if the end user has given its prior consent. The consent requirements correspond to those of the GDPR. Accordingly, the above developments are also likely to be confirmed by the proposed E-Privacy Regulation.

What are the implications for the practice?

From our point of view, this may lead to the following consequences:

  • The use of cookies for analytics and marketing purposes with the so far common "cookie banners", does no longer comply with the requirements of the GDPR and the E-Privacy Directive.
  • Before using these cookies, the user must give his or her consent in accordance with the requirements of the GDPR.
  • Consent management solutions (or “cookie walls”) might be required in the future, that effectively obtain and adequately document such consent.
  • The data protection notice previously used must be updated with regard to the use of cookies.

In practice, the difficult question now arises as to when the conversion should be carried out. Although the ECJ does not expressly comment on the German national provisions of the TMG, today's ruling confirms that the TMG regulations used so far, no longer comply with the applicable European law. It is therefore to be expected that the BGH will decide in favor of the plaintiff vzbv in the specific case to be decided. In addition, the German legislator is called upon to amend the legal situation.

However, it is questionable whether companies can lean back and wait until the TMG has been amended. Individual complaints by consumers or consumer protection associations and corresponding cease and desist letters from competitors as well as measures by the data protection supervisory authorities are now soon to be expected.

We will be happy to advise you, e.g. on the search and selection of a suitable consent management tool as well as on the necessary adjustments to the data protection notice.

Share this post:

Dr. Marc Hilber<br/>LL.M. (Illinois)

Dr. Marc Hilber
LL.M. (Illinois)

Konrad-Adenauer-Ufer 23
50668 Cologne
T +49 221 2091 612
M +49 172 3808 396



More posts