After the position taken by the ECJ in the Planet49 case, the EDPB in its guidelines, also the German federal court held that privacy consent is necessary to the usage of cookies.
The decision of the German court on privacy consent to the usage of cookies
The long-awaited decision of the German Federal Court (BGH) on the question of whether cookies require consent in Germany has been made. The court affirms the obligation to obtain privacy consent to the usage of cookies, and thus obliges website operators to ask users for their permission before cookies are stored or read on their end devices.
It is thus clear that users must be prepared to encounter even more consent queries and cookie banners when surfing the Internet than before. It is also clear that website operators who (at least also) finance themselves through online advertising or who are dependent on re-marketing for their products or services will probably have to reckon with losses because necessary consent is not given. But even for simple analytics tools, there is now a consent requirement. Companies that do not yet obtain consent or do not yet adhere to the strict requirements for informed consent are well advised to adapt their processes as quickly as possible – it is to be expected that competitors, data protection authorities, website users and, not least, consumer protection associations will now take action (the latter, however, only to the extent that they are entitled to sue, see also on our blog).
The background of the case
The basis for the decision of the BGH is a complaint by the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V.). (“vzbv”) against Planet49 GmbH (“Planet49”).
Before passing judgment itself, the BGH referred a number of questions from the legal dispute to the European Court of Justice (ECJ) for decision. As covered in a previous post, the ECJ then ruled that
- an obligation to obtain cookie consent is independent of whether or not personal data are processed using the cookies, and
However, the European Court of Justice did not comment on the question of whether consent to cookies is currently required at all in Germany since the BGH therefore now had to answer this question.
The controversial legal background behind the consent requirement
Until now, it had been controversial whether the obligation to obtain privacy cookie consent, which is standardized at the European level, also applies in Germany. It can be argued that the German legislator has never transposed the consent requirement from the ePrivacy Directive into German law. At best, this requirement can be read into the regulations of the German Telemedia Act (TMG).
However, the TMG actually deals with the processing of personal data and especially the creation of pseudonymous user profiles, but not with cookies. An active consent requirement is also sought in vain in the TMG. Instead, this contains an opt-out solution against the creation of user profiles. In their guidance to telemedia providers, the German data protection authorities have thus far assumed that there is no consent requirement for cookies in Germany. And the European Commission was also of the opinion that the cookie consent from the ePrivacy Directive had not been transposed into German law.
The positions of the German court on privacy consent for cookies
Nevertheless, the BGH assumes in the present decision that the obligation to obtain cookie consent also applies in Germany. It clarifies that this consent requirement can be derived from an interpretation of the TMG which conforms to European law. The press release states in this regard:
“The interpretation of Section 15 (3) sentence 1 of the German Telemedia Act in conformity with the Directive does not preclude the fact that the German legislature has not yet adopted an act of transposition. This is because it can be assumed that the legislator considered the existing legal situation in Germany to be in conformity with the Directive. A corresponding interpretation in conformity with the Directive is still compatible with the wording of Section 15 (3) sentence 1 German Telemedia Act. In view of the fact that the legislator saw the Union law requirement for consent implemented in Section 15 (3) sentence 1 German Telemedia Act, the absence of (valid) consent, can be seen as the objection that – according to the provision – stands in the way of the lawfulness of the creation of user profiles.“
The BGH thus opts for a very far-reaching interpretation which clearly goes beyond the wording – a provision that deals with the processing of personal data is applied to cookies, even though cookies do not necessarily involve such processing. Furthermore, a mere right of objection is reinterpreted as an active consent requirement. The judgment is thus less guided by dogmatic considerations than by a recognizable desire to help European law requirements to be applied as far as possible, even if the legislator remains inactive (in fact, Germany should have implemented the consent requirement by May 2011).
What should operators do now?
Website operators must act now. There is no implementation period for companies with regard to the consent requirement for cookies. Rather, based on the interpretation of the BGH, this has de facto applied since the creation of the TMG in its current form.
Even website operators who have already obtained cookie consent should check their processes once again for conformity with the requirements of the ECJ and the BGH.
In the context of creating the declaration of cookie consent, website operators should also check whether, in addition to consenting to the storage of cookies (this is the only point to which the decision of the BGH refers), they would also like to obtain consent to data processing that is made possible with the help of cookies. According to the German data protection authorities, such consent to data processing is not covered by “mere” cookie consent but must be requested separately from the user.
The German data protection authorities require such consent for certain tools that function via cookies (see the supervisory authorities’ guidance for telemedia providers). So far, however, the authorities have not expressed an opinion on, among other things, the question of whether cookie consent and consent to data processing can be linked. It has also not been conclusively clarified whether users of (free) online offers can be obliged to give their consent to cookies or data processing.
It is quite obvious that the topic of cookies remains complex and confusing even after the decision of the BGH in the Planet49 case. Website operators should obtain comprehensive information and adapt their processes to the applicable requirements. This is the only way to reduce the risk of possible legal disputes – whether with the competent data protection authority, users, consumer protection associations or competitors.
The effects of the decision of the BGH should not be underestimated. This applies in particular with regard to action by competitors and consumer protection associations.
On the same topic, you may find interesting the article “Did you update your cookies privacy consent after the EDPB position?” where I outline the position taken by the European Data Protection Board on cookies in their guidelines.