German top court: No cookies without explicit user consent – a paradigm shift.

German top court: No cookies without explicit user consent – a paradigm shift.

The German Federal Court of Justice (BGH) has officially issued its requirements for the use of cookies and other telemarketing activities. The decision marks a paradigm shift for website operators now having to update their cookie pop-ups and privacy policies.

Does your website use cookies? Then there are major changes in Germany on how to obtain valid consent to cookies.

Here we go through the decision and the impact it will have for German websites.


Key takeaways

  • German Top Court BGH clarifies §15(3) of the Telemedia Act.
  • Using cookies require users’ active and explicit consent
  • Checkboxes for cookies must be “un-ticked” per default

What is the BGH decision on cookies about?

Any website in Germany that wants to use cookies for other than strictly necessary purposes may only do so with the active and explicit consent from the website user.

This is the decision by the German Bundesgerichtshof (BGH) on May 28th, 2020, on the requirements for placing cookies on internet users’ end-devices (computers, smartphones, tablets).

The BGH ruling follows the decision by the European Court of Justice (CJEU) in the same case against German website lottery Planet49.

The decision confirms that consent is not valid, if it is obtained using pre-ticked checkboxes or if the consent is obtained implicitly.

LINK: Official decision by the German Bundesgerichtshof (BGH) 

Timeline

  • 2013 - The issue of consent was first raised by the Federation of German Consumer Organizations (VZBV).
  • 2017 - BGH suspends the proceedings and sent the decision in the hands of the European Court of Justice (CJEU).
  • 2019 - On October 1, the CJEU gives its judgements in the now famous case against German website lottery Planet49 on the validity of consent for the use of cookies.
  • 2020 - on May 28th, the BGH gives its decision in the case against lottery website Planet49, which follows the direction of the CJEU.

LINK: EU Court of Justice's ruling in the case against Planet49

What effect will the BGH ruling have on the use of cookies?

It has long been unclear, whether – and how – consent for cookies was to be obtained when looking solely at the German Telemedia Act (TMG).

Whereas the TMG previously could be understood in such a way that the user only had to be able to object to cookies, this is no longer the case.

The service provider may create user profiles
for the purposes of advertising, market research…
unless the user objects”

Telemedia Act (TMG) §15 Data Usage

With the decision, the BGH stated that Section 15(3) of the German Telemedia Act is to be interpreted in line with Article 5(3) of the ePrivacy Directive. This means that the use of cookies for advertising or market research requires the consent of the user.

For website operators this results in the obligation to obtain an active and explicit consent for it to be valid.

ePrivacy Directive 2002/58/EC - Art.5(3)

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/ 46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.

With BGH’s interpretation of the TMG, most websites are now required to update their cookie consent banners to meet the new rules for consent.

Pre-ticked check boxes for cookies or implicit consent with consent banner texts: “We use cookies – if you continue to use our website, you agree to the use of cookies” are no longer allowed for.

Continued use of a website does not constitutes active or explicit consent. Cookies can only be set by a website, if the user is informed about cookies and has given an active indication to accept cookies – a yes or a no to cookies.

*Necessary cookies do not require consent. These are cookies which are technically necessary for a website to function. Necessary cookies are typically shopping cart cookies, login cookies, language preference on multilingual websites or cookies which store cookie consents.

What constitutes valid consent to cookies?

First, is the decision only about cookies? No.

Although the BGH only speaks of cookies, the judgement goes further and affects technologies that store and read data on users’ devices (cookies, pixels, JavaScripts, SDKs, fingerprints, web beacons). However, all these technologies are grouped under the more well-known term: cookies.

A cookie consent can only be obtained with a cookie pop-up (or banner) in which the user has the possibility to reject cookies; where cookies are not “accepted” by default (pre-checked) and where consent is as easy to withdraw as it is to give.

how a cookie pop up collects valid consent GDPR eprivacy

Consent must be declared by clicking on an accept button and checkboxes must as default be set un-ticked. Opt-out options are no longer permitted.

To document consent, it is necessary to store the collected user consents. Make sure your cookie banner or cookie solution stores your users' consents for 5 years. 

What are the consequences for non-compliance?

Failing to comply with the new requirements comes with a risk.

First, the supervisory authorities are likely to take a closer look at non-compliant websites. This regardless of an inspection is the result of a consumer complaint or by an unsolicited visit.

Second, non-compliance may not only bear the risk of warnings and fines, but also bad publicity.

The fines for not complying with the processing of personal data using cookies are rather high. According to the General Data Protection Regulation (GDPR) fines are issued at €20M or 4% of the annual global turnover, also for non-compliance to cookies.

How can your website collect valid consent?

When it comes to informing users of cookies, collecting and storing valid consent, you should use a certified Consent Management Platform.

With a Consent Solution from Cookie Information, your website gets a consent pop-up that:

Cookie Information's consent pop-up

  • Informs your visitors of cookies (who owns them; their purpose; lifespan)
  • Provides your visitors with the option to decline cookies (and tracking)
  • Holds back cookies before consent is obtained
  • Does not assume consent with pre-ticked boxes
  • Collects and stores consents for 5 years (in case of inspection by DPA).

Your website gets a cookie banner which can be customized with company logo and colors.

Moreover, Cookie Information stores every single consent for 5 years, so your company can document consents to the Data Protection Authorities.

With Cookie Information’s Cookie Consent Solution your website will meet the requirements of the decision made by the Bundesgerichtshof.

book a meeting with jonas