What is the BGH decision on cookies about?
Here we go through the decision and the impact it will have for German websites.
This is the decision by the German Bundesgerichtshof (BGH) on May 28th, 2020, on the requirements for placing cookies on internet users’ end-devices (computers, smartphones, tablets).
The BGH ruling follows the decision by the European Court of Justice (CJEU) in the same case against German website lottery Planet49.
The decision confirms that consent is not valid, if it is obtained using pre-ticked checkboxes or if the consent is obtained implicitly.
- 2013 – The issue of consent was first raised by the Federation of German Consumer Organizations (VZBV).
- 2017 – BGH suspends the proceedings and sent the decision in the hands of the European Court of Justice (CJEU).
- 2020 – on May 28th, the BGH gives its decision in the case against lottery website Planet49, which follows the direction of the CJEU.
It has long been unclear, whether – and how – consent for cookies was to be obtained when looking solely at the German Telemedia Act (TMG).
Whereas the TMG previously could be understood in such a way that the user only had to be able to object to cookies, this is no longer the case.
“The service provider may create user profiles
for the purposes of advertising, market research…
unless the user objects”
Telemedia Act (TMG) §15 Data Usage
For website operators this results in the obligation to obtain an active and explicit consent for it to be valid.
EPRIVACY DIRECTIVE 2002/58/EC – ART.5(3)
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/ 46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.
With BGH’s interpretation of the TMG, most websites are now required to update their cookie consent banners to meet the new rules for consent.
Continued use of a website does not constitutes active or explicit consent. Cookies can only be set by a website, if the user is informed about cookies and has given an active indication to accept cookies – a yes or a no to cookies.
*Necessary cookies do not require consent. These are cookies which are technically necessary for a website to function. Necessary cookies are typically shopping cart cookies, login cookies, language preference on multilingual websites or cookies which store cookie consents.
What constitutes valid consent for cookies?
First, is the decision only about cookies? No.
A cookie consent can only be obtained with a cookie pop-up (or banner) in which the user has the possibility to reject cookies; where cookies are not “accepted” by default (pre-checked) and where consent is as easy to withdraw as it is to give.
Consent must be declared by clicking on an accept button and checkboxes must as default be set un-ticked. Opt-out options are no longer permitted.
To document consent, it is necessary to store the collected user consents. Make sure your cookie banner or cookie solution stores your users’ consents for 5 years.
WHAT ARE THE CONSEQUENCES FOR NON-COMPLIANCE?
Failing to comply with the new requirements comes with a risk.
First, the supervisory authorities are likely to take a closer look at non-compliant websites. This regardless of an inspection is the result of a consumer complaint or by an unsolicited visit.
Second, non-compliance may not only bear the risk of warnings and fines, but also bad publicity.
The fines for not complying with the processing of personal data using cookies are rather high. According to the General Data Protection Regulation (GDPR) fines are issued at €20M or 4% of the annual global turnover, also for non-compliance to cookies.