IT Law and Data Protection07.07.2020 Newsletter
"Planet49" decision by the Federal Supreme Court: Pre-selected opt-in does not provide effective consent to cookies
A recently published decision of the German Federal Court of Justice (BGH) of 28 May 2020 (Az. I ZR 7/16) makes it necessary to modify many cookie banners. Tracking cookies for analysis or marketing purposes on websites require the use of consent management tools. In addition, privacy notices must be adapted.
While only a press release on the decision was available at first, the BGH has now published the decision including reasons after a long waiting period. In view of the previous judgement of the European Court of Justice (ECJ) in this case, it is not entirely surprising that the decision of the BGH will result in a significant change in practice, possibly with major economic consequences for online marketing.
What was the previous practice?
Tracking cookies (or similar techniques) have often been used in Germany at the time of the first visit to the website and from then on have (also) processed personal data of the website users. The user was only granted a right of objection (opt-out) if he or she did not agree to the use of tracking cookies. With the help of a cookie banner and the corresponding privacy notices, the user was informed about the use of tracking cookies and consent was assumed by implicit action (e.g. further use of the website). From a legal point of view, the German Telemedia Act (TMG) was taken into account in particular, which allowed the use of user profiles on the basis of a right of objection. It had already been discussed and decided for some time that a user's consent according to the requirements of the GDPR in the sense of a prior explicit activity is not thereby obtained.
What did the BGH decide?
In the case of the German lottery provider "Planet49", the BGH decided on questions regarding the use of tracking cookies that allow data to be collected by third parties (so-called third-party cookies) in response to a complaint filed by the Federal Association of Consumer Centres and Consumer Associations (vzbv). Prior to the decision, the Federal Court of Justice had submitted specific questions to the European Court of Justice on the interpretation of relevant European regulations.
In this case, the ECJ already decided on October 1, 2019 - Case C-673/17 that an effective consent must be actively granted in accordance with the requirements of the E-Privacy Directive 2002/58/EU, but also in accordance with the former legal situation of the Federal Data Protection Act (BDSG) and the GDPR. According to the ECJ, no effective consent is given if the storage of information using cookies is permitted by a preset checkbox which the user must uncheck to refuse consent (so-called opt-out). In addition, the ECJ has ruled that information on the duration of the functionality of the cookies and on whether third parties may have access to the cookies is part of the information that the service provider must provide to the user of a website before giving consent.
In its decision of 28 May 2020, the BGH has now confirmed the ECJ's decision. According to this decision, consent can only be given effectively if the user actively sets the checkboxes. As far as the checkboxes are preset in the declaration of consent, no effective consent is given. The BGH also addressed the previously unclear legal situation with regard to Section 15 (3) sentence 1 TMG. For in this respect, it was still unclear after the ECJ ruling whether the German Telemedia Act, which is still in force in Germany, continued to allow easier handling until the German legislator amended the law. In the opinion of the BGH, however, the provision in the German Telemedia Act must be interpreted to the effect that Section 15 (3) sentence 1 of the German Telemedia Act also requires the user's active consent as described above. It follows from this that the existing legal situation in Germany already requires an explicit and active consent of the user, for which the website operator is not allowed to pre-select the checkboxes. This requirement therefore does not only arise with a change in the law of the TMG.
How do the data protection authorities proceed?
Several European data protection supervisory authorities considered the use of cookies for specific purposes under the GDPR to be permissible only on the basis of active user consent even before the decision of the Federal Court of Justice. The German data protection authorities pointed out in a guideline for providers of telemedia in 2019 that the use of technically unnecessary cookies is in principle only permissible after the effective consent of the user. This assessment was also shared by the French and Dutch data protection authorities and the ICO in the UK. For the legal assessment of the data protection authorities, the technical processes used or the type of cookies used are not the decisive criteria. Rather, it depends on the purpose behind the processing. The authorities have divided the multitude of possible purposes that are pursued in practice with the use of cookies into certain categories: functionality, analytics and marketing tracking. In the opinion of the data protection authorities, however, consent is always required for cookies unless they are technically necessary for the provision of the website.
The European Data Protection Board (EDPB) has also pointed out in a separate guideline that so-called cookie-walls, i.e. tools that only allow the user to access the website if he or she has given his or her consent to the use of non-technically necessary cookies, are inadmissible. The user must therefore be able to use the website regardless of any possible consent. This statement can lead to misunderstandings, because many of the common and recommendable tools are still commonly referred to as "cookie-wall".
Consent is to be obtained effectively on the basis of Art. 7 GDPR. For this purpose, the user has informed consent, separately, voluntarily and actively to give. Furthermore, it must be noted that cookies shall not be used and data transmitted before consent is given.
How does this decision affect practice?
In our view, this leads to the following consequences:
- The use of cookies for analysis and marketing purposes with the usual "cookie banners" and the assumed or implied consent does not comply with the requirements of the TMG, GDPR and the e-privacy directive.
- Before using these cookies, the user must give his or her effective consent in accordance with the requirements of the GDPR. Checkboxes must not be preset. However, consent is not required for technically necessary cookies (this is often represented in practice by a preset checkbox).
- Cookies that are not technically necessary may not be used and transmit data before consent is given.
- Consent management solutions, for example, are necessary to effectively obtain and adequately document consent and to manage changes (withdrawal of consent), etc. Certain classifications of the cookies can be made. Classifications are especially functionality, analytics and marketing.
- Avoidance of so-called cookie walls in the sense of the EDPB guidelines. The user must also be able to use the website without consent to cookies for functionality, analytics and marketing.
- The privacy notices used so far are to be adapted to the extended requirements of the BGH and ECJ, in particular functional duration of cookies and access by third parties.
- It follows from the decision of the BGH that an immediate change is recommended. Individual actions by consumers or consumer protection associations and related warnings from competitors as well as measures by the data protection authorities can now be expected immediately.
It is still unclear how the website operator may design the cookie management solution. In this respect, the question arises in particular whether the newly designed cookie banner appearing first may, in addition to the general information text (with a link to the detailed cookie policy), only provide two boxes with which the user can either accept all cookies or access the cookie settings. With this solution, the user would only be able to select individual cookie categories on a second page or make the settings so that no further cookies are set ("Alternative 1"). In this context, it is questionable whether consent is still voluntary if the user has to make several clicks in order to use the website, if the user does not wish to consent to the use of these cookies, whereas consent is faster for all cookies.
A different and certainly permissible design of the cookie management solution would therefore be for the user to be shown the selection options for all categories of cookies on the first page of the new cookie banner and to be able to accept all cookies directly with one click or to make his selection with several clicks ("Alternative 2").
Neither the German data protection authorities nor the courts have (currently) commented on this issue. When using alternative 2, it can be assumed that the cookie banner and thus the obtaining of consent is permissible. Alternative 1 has been classified as inadmissible by the Danish data protection authority because there is a certain compulsion to give consent to all cookies. This decision by the Danish data protection authority does not have a binding effect on German companies, but it could have a signal effect on the view of the German data protection authorities.