No cookies without explicit user consent

Blog
The German Federal Court of Justice (BGH) has officially issued its requirements for the use of cookies and other telemarketing activities. The decision marks a paradigm shift for website operators now having to update their cookie pop-ups and privacy policies.
Table of Contents

What is the BGH decision on cookies about?

Does your website use cookies? Then there are major changes in Germany on how to obtain valid consent to cookies. Here we go through the decision and the impact it will have for German websites. Any website in Germany that wants to use cookies for other than strictly necessary purposes may only do so with the active and explicit consent from the website user. This is the decision by the German Bundesgerichtshof (BGH) on May 28th, 2020, on the requirements for placing cookies on internet users’ end-devices (computers, smartphones, tablets). The BGH ruling follows the decision by the European Court of Justice (CJEU) in the same case against German website lottery Planet49. The decision confirms that consent is not valid, if it is obtained using pre-ticked checkboxes or if the consent is obtained implicitly. LINK: Official decision by the German Bundesgerichtshof (BGH)

Timeline

  • 2013 – The issue of consent was first raised by the Federation of German Consumer Organizations (VZBV).
  • 2017 – BGH suspends the proceedings and sent the decision in the hands of the European Court of Justice (CJEU).
  • 2019 – On October 1, the CJEU gives its judgements in the now famous case against German website lottery Planet49 on the validity of consent for the use of cookies.
  • 2020 – on May 28th, the BGH gives its decision in the case against lottery website Planet49, which follows the direction of the CJEU.

What effect will the BGH ruling have on the use of cookies?

It has long been unclear, whether – and how – consent for cookies was to be obtained when looking solely at the German Telemedia Act (TMG).

Whereas the TMG previously could be understood in such a way that the user only had to be able to object to cookies, this is no longer the case.

“The service provider may create user profiles
for the purposes of advertising, market research…
unless the user objects”

Telemedia Act (TMG) §15 Data Usage

With the decision, the BGH stated that Section 15(3) of the German Telemedia Act is to be interpreted in line with Article 5(3) of the ePrivacy Directive. This means that the use of cookies for advertising or market research requires the consent of the user.

For website operators this results in the obligation to obtain an active and explicit consent for it to be valid.

EPRIVACY DIRECTIVE 2002/58/EC – ART.5(3)

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/ 46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.

With BGH’s interpretation of the TMG, most websites are now required to update their cookie consent banners to meet the new rules for consent.

Pre-ticked check boxes for cookies or implicit consent with consent banner texts: “We use cookies – if you continue to use our website, you agree to the use of cookies” are no longer allowed for.

Continued use of a website does not constitutes active or explicit consent. Cookies can only be set by a website, if the user is informed about cookies and has given an active indication to accept cookies – a yes or a no to cookies.

*Necessary cookies do not require consent. These are cookies which are technically necessary for a website to function. Necessary cookies are typically shopping cart cookies, login cookies, language preference on multilingual websites or cookies which store cookie consents.

What constitutes valid consent for cookies?

First, is the decision only about cookies? No. Although the BGH only speaks of cookies, the judgement goes further and affects technologies that store and read data on users’ devices (cookies, pixels, JavaScripts, SDKs, fingerprints, web beacons). However, all these technologies are grouped under the more well-known term: cookies. A cookie consent can only be obtained with a cookie pop-up (or banner) in which the user has the possibility to reject cookies; where cookies are not “accepted” by default (pre-checked) and where consent is as easy to withdraw as it is to give.
Link: What are the rules on cookies?

Consent must be declared by clicking on an accept button and checkboxes must as default be set un-ticked. Opt-out options are no longer permitted.

To document consent, it is necessary to store the collected user consents. Make sure your cookie banner or cookie solution stores your users’ consents for 5 years. 

WHAT ARE THE CONSEQUENCES FOR NON-COMPLIANCE?

Failing to comply with the new requirements comes with a risk.

First, the supervisory authorities are likely to take a closer look at non-compliant websites. This regardless of an inspection is the result of a consumer complaint or by an unsolicited visit.

Second, non-compliance may not only bear the risk of warnings and fines, but also bad publicity.

The fines for not complying with the processing of personal data using cookies are rather high. According to the General Data Protection Regulation (GDPR) fines are issued at €20M or 4% of the annual global turnover, also for non-compliance to cookies.