Please note: the legal situation has changed since this article was published. Some of the information may be outdated.
TL;DR:
We’re getting down to the nitty gritty, or addressing the sweet temptation at least. The Planet49 case gave the European Court of Justice a possibility to discuss the question of technical cookies. It decided cookies require consent as long as they are not necessary for the provision of the service—which leaves a bitter aftertaste for the marketing industry. This article outlines the background and need for action.
Updated legal evaluation
The handling of cookies and similar data storage approaches has been controversial for a long time. The widely spread opinion said that Germany had not implemented European legal requirements well, but many lawyers argued that the situation ultimately led to cookies themselves being permitted in Germany without any significant restrictions and only general privacy requirements applied. This changes with the judgment of the European Court of Justice in the matter of “planet49”. The ruling echoes loudly through the office halls of data protectors, lawyers, but also marketing experts—because, in short, it says: no cookies without explicit, clear consent (in many cases, that is).
The verdict concretely provides the following findings:
- The legal framework is such that the use of technically unnecessary cookies requires consent.
- Consent requires active action on the part of the respective user, for the relevant case and in a concrete and explicit manner.
- Furthermore, consent is only sufficiently informed if the users can obtain concrete information about the purpose, scope and duration of the storage.
Conversely, this also means:
- The previous practice of showing a pure information banner or even only providing information in the data protection declaration is not permissible.
Unchanged remains…
- …the evaluation of technically necessary cookies and similar storage (more on this below and in the questions and answers).
Legal proceeding and background
Legal action was initiated by a federal customer protection association, the Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e. V. against the lottery provider planet49 GmbH at the district court of Frankfurt am Main as first instance. In the appeal, the German Federal Court of Justice (BGH, Bundesgerichtshof) dealt with the issue under file number I ZR 7/16 and decided to refer concrete legal questions to the European Court of Justice (German; external link to the website of the Federal Court of Justice)—its decision was published on 1 Oct 2019 (external link to the website of the European Court of Justice). The ruling concerns the question of whether applicable laws differentiate between personal and non-personal data, as well as the concrete requirements for the design of consent and the scope and presentation of the information provided.
Evaluation of the decision
The decision is far from surprising, basically. Other EU countries have had stricter requirements for a long time. It was only a matter of time for the European Court of Justice to decide and to raise the bar of requirements. So far, so good. However, the law governing cookies is outdated and should have been replaced by new provisions at the same time as the GDPR becoming fully effective. But the political process came to a standstill before the law’s enactment, so that we now face two applicable laws that were not coordinated with each. We are experiencing serious practical difficulties in not being able to reach political agreement. In many ways, the law is not the best instrument to regulate the issues either—a technical standard of consent that is legally approved would be a superior solution.
The interpretation of the European Court of Justice is, by the way, in line with what the German Data Protection Conference has been advocating for some time and also with what it advocated in its Orientation support for providers of telemedia (Orientierungshilfe für Anbieter von Telemedien, external link to the Data Protection Conference website).
That the topics covered by the ruling can be judged very differently depending on the situation is one of the aspects I deem problematic. The transfer of data to third parties, for example, is very relevant in the context of Third Party Cookies. A solid evaluation could take into account differences between own first-party cookies and sharing data with third parties. Privacy protection is only relevant regarding personal and attributable data but its application is now extended to all data, but legal interpretation is farther-reaching and covers non-personal data, too. At the same time, it does not follow the path all way down. But that’s the situation we’re facing and we’ll have to live with it.
Recommended action
Website operators should critically question their handling of data storage and cookies. This applies in particular to operators of business pages, but also to others. Depending on the situation, the best way may be to avoid cookies and advanced data processing. If cookies are technically necessary to keep the site functional (not to read as: optimized), they are permitted to a certain extent (an individual case check remains necessary). In the future, consent will be required for access statistics - as we have practiced from the outset on our alliance’s site, for example.
The request for consent must be clear and requires active, confirmatory action on the part of the user. For example, this could be done by a query as follows:
We would like to know what is important to you. For this purpose, we would like to create pseudonymous statistics about the user behaviour on our website. Please let us know whether you are fine with us using a cookie to re-identify you. [[If data is passed on, please add description, incl. Potential recipients.]]
For further information, please have a look at our privacy policy.
[[Consent button]] [[Rejection button]]
It is of thorough importance that both consent and rejection are possible.
Questions and answers
For the sake of clarity, the questions and answers in a separate document are presented.
Authorities’ statements
For all those who wish to obtain information directly from the supervisory authorities, we share the following links to opinions without claiming to be exhaustive. Please note that the authorities also present their own legal opinions—often this is a convincing interpretation, but not necessarily always. Sometimes they just highlight individual aspects and others hardly appear or do not appear at all.
- Data Protection Conference (Conference of Independent Federal and State Data Protection Supervisory Authorities) Guidance by the supervisory authorities for providers of telemedia (German; external link)
- State Commissioner for Data Protection and Freedom of Information Baden-Württemberg On the use of cookies and cookie banners; what is to be done with consents? (ECJ judgment “Planet49”) (external link) (link:https://www.baden-wuerttemberg.datenschutz.de/faq-zu-cookies-und-tracking-2/ target:_blank text:FAQ about Cookies and Tracking) (German; external link)
- The Hamburg Commissioner for Data Protection and Freedom of Information Cookies also require consent in Germany (German; external link)
Downloads
For your convenience, we offer the following documents:
- A short summary in the form of preliminary questions and concrete steps to be taken
- A table for the preparation of the admissibility check and the facts relevant for the user information
Next steps and our offers
The most important thing now is to see for yourself what you’re doing in the context of cookies—and compare that with the new requirements. I, Rechtsanwalt Cevc) from Erlangen, advise on IT law and data protection and thus also on these topics, if you would like to clarify border issues or a specific assessment of your individual case.
Disclaimer: This text presents a simplified overview of the topic. It neither constitutes legal advice nor does it replace such advice.