Cookies without Consent

BGH decided on 28 May 2020 (re I ZR 7/16 - „Planet49“) on the question whether German law requires website operators to request permission from visitors for setting cookies (opt-in) or whether an approval may be assumed and the visitor may subsequently deny the cookie placing (opt-out).

website cookies require user opt-in

Planet49 GmbH

Planet49 GmbH utilized boxes that were already checked with their online cookie guidelines, and so approved the use of cookies. In one instance, Regional Court Frankfurt granted the motions of the Federation of German Consumer Organizations (Bundesverband der Verbraucherzentralen und Verbraucherverbände, vzbv) and decided that consent as an opt-in is necessary when cookies are set. This decision was overturned by the Higher Regional Court in Frankfurt to the effect that, due to the wording of the German Telemedia Act, consent to cookie use can also be granted as an opt-out.

 

Cookies in Conflict with German Telemedia Act and ePrivacy Directive

The reason for the present legal dispute is the contradiction between the German Telemedia Act and the ePrivacy Directive. Directives are European legal acts that must be implemented into national law by the Member States. In contrast to the ePrivacy Directive, §12 I TMG, as the German implementation law, only covers personal data. In addition, §15 III TMG allows service providers to create user profiles when using pseudonyms for the purposes of advertising, market research or for the needs-tailored design of the service provided the user does not object to this. Such an “opt-out” mechanism is not in line with the ePrivacy Directive nor the GDPR, as it follows from the Directive that the user must expressly consent to cookie use (through an opt-in).

The German supervisory authorities had already taken a position on the use of cookies in April 2019. They are of the opinion that they neither applied an interpretation in conformity with the Directive nor a direct effect of §5 III ePrivacy Directive. Additionally, the European Data Protection Board (EDPB) recently clarified the conditions of consent and pointed out that consent must be given clearly for setting of cookies and that further scrolling (with opt-out) on the respective website is not sufficient. (Please see the EDPB’s Opinion.)

With today's ruling, the German Federal Court of Justice has clarified that §15 III TMG, despite its contradictory wording, must be interpreted in conformity with the Directive, resulting that the user must expressly consent to the storage of non-functional cookies (opt-in).

Websites are to Allow to Opt-in for Cookies

As a result, website operators can no longer rely on the fact that it would be possible to set cookies in Germany solely based on their legitimate interests. It is now necessary to obtain the consent of the website user for the setting of non-functional cookies (opt-in). This was previously at least justifiable with reference to the earlier statements of the German supervisory authorities and the wording of the regulations in the Telemedia Act.

Failing to comply with these new requirements bears the risk that competitors or consumer associations may issue admonishments with fines to website operators if they continue to use the (latest really now) illegal opt-out procedure. Furthermore, the supervisory authorities are likely to take a closer look at some websites based on this ruling, whether unsolicited or following a complaint by a data subject. In ongoing proceedings, it must be carefully reviewed whether the reasoning vis-à-vis the supervisory authority may need to be adjusted.

As the implementation of these new requirements are easily visible (and technically identifiable) on the website, non-compliance bears a high risk of cease-and-desist and supervisory admonishments.

Recommended Actions

Based on the above ruling, it is now required that the "active" consent is obtained. Website operators should check whether they still set cookies relying on the opt-out procedure. If this is the case, operators should switch the setting of cookies to an opt-in procedure, i.e. obtain consent of the website user before setting a non-functional cookie. This consent must be explicit and cannot be given by pre-checking a box for “automatic” approval but requires the visitor to tick the box or press a slide switch – for example.