Data ProtectionPrivacy

The German federal court rules on the obligation to obtain privacy consent to the usage of cookies

After the position taken by the ECJ in the Planet49 case, the EDPB in its guidelines, also the German federal court held that privacy consent is necessary to the usage of cookies.

This is a post initially published DLA Piper’s blog Privacy Matters by my colleagues Verena GrentzenbergKatharina Pauls and Jan Spittka.

The decision of the German court on privacy consent to the usage of cookies

The long-awaited decision of the German Federal Court (BGH) on the question of whether cookies require consent in Germany has been made. The court affirms the obligation to obtain privacy consent to the usage of cookies, and thus obliges website operators to ask users for their permission before cookies are stored or read on their end devices.

It is thus clear that users must be prepared to encounter even more consent queries and cookie banners when surfing the Internet than before. It is also clear that website operators who (at least also) finance themselves through online advertising or who are dependent on re-marketing for their products or services will probably have to reckon with losses because necessary consent is not given. But even for simple analytics tools, there is now a consent requirement. Companies that do not yet obtain consent or do not yet adhere to the strict requirements for informed consent are well advised to adapt their processes as quickly as possible – it is to be expected that competitors, data protection authorities, website users and, not least, consumer protection associations will now take action (the latter, however, only to the extent that they are entitled to sue, see also on our blog).

The background of the case

The basis for the decision of the BGH is a complaint by the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V.). (“vzbv”) against Planet49 GmbH (“Planet49”).

Planet49 used information texts with checkboxes as part of an online competition. One of these texts referred to a web analysis service that uses cookies to collect information about the surfing and usage behavior of the participants. Participants in the competition were asked to agree to the use of this service. The checkbox belonging to the information text was already provided with a preset check mark, which the participants had to remove manually in order to refuse their consent.

Before passing judgment itself, the BGH referred a number of questions from the legal dispute to the European Court of Justice (ECJ) for decision. As covered in a previous post, the ECJ then ruled that

  1. no valid consent to the use of cookies can be obtained through the use of a preset checkbox – rather, this requires active behavior on the part of the user (such as checking a box that was previously unchecked);
  2. an obligation to obtain cookie consent is independent of whether or not personal data are processed using the cookies, and
  3. the user must be provided with information on the duration of the cookies’ function and whether third parties have access to the cookies in order to be able to give informed consent to the use of cookies.

However, the European Court of Justice did not comment on the question of whether consent to cookies is currently required at all in Germany since the BGH therefore now had to answer this question.

The controversial legal background behind the consent requirement

Until now, it had been controversial whether the obligation to obtain privacy cookie consent, which is standardized at the European level, also applies in Germany. It can be argued that the German legislator has never transposed the consent requirement from the ePrivacy Directive into German law. At best, this requirement can be read into the regulations of the German Telemedia Act (TMG).

However, the TMG actually deals with the processing of personal data and especially the creation of pseudonymous user profiles, but not with cookies. An active consent requirement is also sought in vain in the TMG. Instead, this contains an opt-out solution against the creation of user profiles. In their guidance to telemedia providers, the German data protection authorities have thus far assumed that there is no consent requirement for cookies in Germany. And the European Commission was also of the opinion that the cookie consent from the ePrivacy Directive had not been transposed into German law.

The positions of the German court on privacy consent for cookies

Nevertheless, the BGH assumes in the present decision that the obligation to obtain cookie consent also applies in Germany. It clarifies that this consent requirement can be derived from an interpretation of the TMG which conforms to European law. The press release states in this regard:

The interpretation of Section 15 (3) sentence 1 of the German Telemedia Act in conformity with the Directive does not preclude the fact that the German legislature has not yet adopted an act of transposition. This is because it can be assumed that the legislator considered the existing legal situation in Germany to be in conformity with the Directive. A corresponding interpretation in conformity with the Directive is still compatible with the wording of Section 15 (3) sentence 1 German Telemedia Act. In view of the fact that the legislator saw the Union law requirement for consent implemented in Section 15 (3) sentence 1 German Telemedia Act, the absence of (valid) consent, can be seen as the objection that – according to the provision – stands in the way of the lawfulness of the creation of user profiles.“

The BGH thus opts for a very far-reaching interpretation which clearly goes beyond the wording – a provision that deals with the processing of personal data is applied to cookies, even though cookies do not necessarily involve such processing. Furthermore, a mere right of objection is reinterpreted as an active consent requirement. The judgment is thus less guided by dogmatic considerations than by a recognizable desire to help European law requirements to be applied as far as possible, even if the legislator remains inactive (in fact, Germany should have implemented the consent requirement by May 2011).

In doing so, the BGH not only upholds the vzbv’s claim, but also generally ensures that website operators who use cookies are affected to a large extent. This is because – in order not to expose themselves to a considerable risk – they must obtain consent to the use of cookies.

What should operators do now?

Website operators must act now. There is no implementation period for companies with regard to the consent requirement for cookies. Rather, based on the interpretation of the BGH, this has de facto applied since the creation of the TMG in its current form.

If no consent to the use of cookies has been obtained so far, the existing processes should urgently be adapted. The aim is to provide users with a cookie consent form that meets the applicable requirements of the GDPR and, in particular, implements the ECJ requirements described above. Consent is now required for all cookies that are not strictly necessary for the operation of the website. Both analysis cookies and all advertising tracking cookies are thus subject to consent and may not be stored on the user’s terminal device or read from there before consent is granted by the user. The only exception to this is so-called strictly necessary cookies, i.e. cookies that are technically required for the secure operation of the website. Only with the introduction of the planned ePrivacy Regulation is there hope that website operators will be able to carry out at least certain website analyses again without cookie consent.

Even website operators who have already obtained cookie consent should check their processes once again for conformity with the requirements of the ECJ and the BGH.

In the context of creating the declaration of cookie consent, website operators should also check whether, in addition to consenting to the storage of cookies (this is the only point to which the decision of the BGH refers), they would also like to obtain consent to data processing that is made possible with the help of cookies. According to the German data protection authorities, such consent to data processing is not covered by “mere” cookie consent but must be requested separately from the user.

The German data protection authorities require such consent for certain tools that function via cookies (see the supervisory authorities’ guidance for telemedia providers). So far, however, the authorities have not expressed an opinion on, among other things, the question of whether cookie consent and consent to data processing can be linked. It has also not been conclusively clarified whether users of (free) online offers can be obliged to give their consent to cookies or data processing.

It is quite obvious that the topic of cookies remains complex and confusing even after the decision of the BGH in the Planet49 case. Website operators should obtain comprehensive information and adapt their processes to the applicable requirements. This is the only way to reduce the risk of possible legal disputes – whether with the competent data protection authority, users, consumer protection associations or competitors.

The effects of the decision of the BGH should not be underestimated. This applies in particular with regard to action by competitors and consumer protection associations.

It remains to be seen whether data protection authorities will now also change their line. They have already vehemently argued that the data processing enabled by cookies are in many cases subject to consent. Admittedly, no case is known to date in which they have imposed a fine in connection with cookies and tracking in Germany. However, this may well change due to the great attention currently being paid to this topic. If the use of cookies is also accompanied by illegal data processing, the GDPR provides for fines of up to EUR 20 million or 4% of the total worldwide annual turnover of the previous financial year. If, however, “only” the cookie consent is missing, the lower TMG fine-scale (fines up to 50,000 EUR) would be used at best – but in fact, there is no relevant provision. And an interpretation in conformity with the Directive with regard to fines would not be compatible with the principle of legal certainty (Article 103 (2) of the German Constitution).

On the same topic, you may find interesting the article “Did you update your cookies privacy consent after the EDPB position?” where I outline the position taken by the European Data Protection Board on cookies in their guidelines.

Don't miss our weekly insights

Tags
Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our clients' success.

Related Articles

Back to top button
Close