Here we go through the decision and the impact it will have for German websites.
- German Top Court BGH clarifies §15(3) of the Telemedia Act.
- Using cookies require users’ active and explicit consent
- Checkboxes for cookies must be “un-ticked” per default
What is the BGH decision on cookies about?
This is the decision by the German Bundesgerichtshof (BGH) on May 28th, 2020, on the requirements for placing cookies on internet users’ end-devices (computers, smartphones, tablets).
The BGH ruling follows the decision by the European Court of Justice (CJEU) in the same case against German website lottery Planet49.
The decision confirms that consent is not valid, if it is obtained using pre-ticked checkboxes or if the consent is obtained implicitly.
- 2013 - The issue of consent was first raised by the Federation of German Consumer Organizations (VZBV).
- 2017 - BGH suspends the proceedings and sent the decision in the hands of the European Court of Justice (CJEU).
- 2020 - on May 28th, the BGH gives its decision in the case against lottery website Planet49, which follows the direction of the CJEU.
It has long been unclear, whether – and how – consent for cookies was to be obtained when looking solely at the German Telemedia Act (TMG).
Whereas the TMG previously could be understood in such a way that the user only had to be able to object to cookies, this is no longer the case.
“The service provider may create user profiles
for the purposes of advertising, market research…
unless the user objects”
Telemedia Act (TMG) §15 Data Usage
For website operators this results in the obligation to obtain an active and explicit consent for it to be valid.
ePrivacy Directive 2002/58/EC - Art.5(3)
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/ 46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.
With BGH’s interpretation of the TMG, most websites are now required to update their cookie consent banners to meet the new rules for consent.
Continued use of a website does not constitutes active or explicit consent. Cookies can only be set by a website, if the user is informed about cookies and has given an active indication to accept cookies – a yes or a no to cookies.
*Necessary cookies do not require consent. These are cookies which are technically necessary for a website to function. Necessary cookies are typically shopping cart cookies, login cookies, language preference on multilingual websites or cookies which store cookie consents.
What constitutes valid consent to cookies?
First, is the decision only about cookies? No.
A cookie consent can only be obtained with a cookie pop-up (or banner) in which the user has the possibility to reject cookies; where cookies are not “accepted” by default (pre-checked) and where consent is as easy to withdraw as it is to give.
Consent must be declared by clicking on an accept button and checkboxes must as default be set un-ticked. Opt-out options are no longer permitted.
To document consent, it is necessary to store the collected user consents. Make sure your cookie banner or cookie solution stores your users' consents for 5 years.
What are the consequences for non-compliance?
Failing to comply with the new requirements comes with a risk.
First, the supervisory authorities are likely to take a closer look at non-compliant websites. This regardless of an inspection is the result of a consumer complaint or by an unsolicited visit.
Second, non-compliance may not only bear the risk of warnings and fines, but also bad publicity.
The fines for not complying with the processing of personal data using cookies are rather high. According to the General Data Protection Regulation (GDPR) fines are issued at €20M or 4% of the annual global turnover, also for non-compliance to cookies.
How can your website collect valid consent?
When it comes to informing users of cookies, collecting and storing valid consent, you should use a certified Consent Management Platform.
With a Consent Solution from Cookie Information, your website gets a consent pop-up that:
Cookie Information's consent pop-up
- Informs your visitors of cookies (who owns them; their purpose; lifespan)
- Provides your visitors with the option to decline cookies (and tracking)
- Holds back cookies before consent is obtained
- Does not assume consent with pre-ticked boxes
- Collects and stores consents for 5 years (in case of inspection by DPA).
Your website gets a cookie banner which can be customized with company logo and colors.
Moreover, Cookie Information stores every single consent for 5 years, so your company can document consents to the Data Protection Authorities.
With Cookie Information’s Cookie Consent Solution your website will meet the requirements of the decision made by the Bundesgerichtshof.