What is the BGH decision on cookies about?
Timeline
- 2013 – The issue of consent was first raised by the Federation of German Consumer Organizations (VZBV).
- 2017 – BGH suspends the proceedings and sent the decision in the hands of the European Court of Justice (CJEU).
- 2019 – On October 1, the CJEU gives its judgements in the now famous case against German website lottery Planet49 on the validity of consent for the use of cookies.
- 2020 – on May 28th, the BGH gives its decision in the case against lottery website Planet49, which follows the direction of the CJEU.
What effect will the BGH ruling have on the use of cookies?
It has long been unclear, whether – and how – consent for cookies was to be obtained when looking solely at the German Telemedia Act (TMG).
Whereas the TMG previously could be understood in such a way that the user only had to be able to object to cookies, this is no longer the case.
“The service provider may create user profiles
for the purposes of advertising, market research…
unless the user objects”Telemedia Act (TMG) §15 Data Usage
With the decision, the BGH stated that Section 15(3) of the German Telemedia Act is to be interpreted in line with Article 5(3) of the ePrivacy Directive. This means that the use of cookies for advertising or market research requires the consent of the user.
For website operators this results in the obligation to obtain an active and explicit consent for it to be valid.
EPRIVACY DIRECTIVE 2002/58/EC – ART.5(3)
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/ 46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.
With BGH’s interpretation of the TMG, most websites are now required to update their cookie consent banners to meet the new rules for consent.
Pre-ticked check boxes for cookies or implicit consent with consent banner texts: “We use cookies – if you continue to use our website, you agree to the use of cookies” are no longer allowed for.
Continued use of a website does not constitutes active or explicit consent. Cookies can only be set by a website, if the user is informed about cookies and has given an active indication to accept cookies – a yes or a no to cookies.
*Necessary cookies do not require consent. These are cookies which are technically necessary for a website to function. Necessary cookies are typically shopping cart cookies, login cookies, language preference on multilingual websites or cookies which store cookie consents.
What constitutes valid consent for cookies?
Consent must be declared by clicking on an accept button and checkboxes must as default be set un-ticked. Opt-out options are no longer permitted.
To document consent, it is necessary to store the collected user consents. Make sure your cookie banner or cookie solution stores your users’ consents for 5 years.
WHAT ARE THE CONSEQUENCES FOR NON-COMPLIANCE?
Failing to comply with the new requirements comes with a risk.
First, the supervisory authorities are likely to take a closer look at non-compliant websites. This regardless of an inspection is the result of a consumer complaint or by an unsolicited visit.
Second, non-compliance may not only bear the risk of warnings and fines, but also bad publicity.
The fines for not complying with the processing of personal data using cookies are rather high. According to the General Data Protection Regulation (GDPR) fines are issued at €20M or 4% of the annual global turnover, also for non-compliance to cookies.