Tracking cookies under attack in Germany – DPA announces first fines

Tracking cookies under attack in Germany – DPA announces first fines

Consumer Organizations are stepping up the fight against user tracking without consent. First legal proceedings may be under way for unlawful use of tracking cookies. German Data Protection Authorities also looking to impose fines against violations to the GDPR.

This week, The Federation of German Consumer Organizations (VZBV) filed a formal complaint against eight media companies because of their user tracking methods on their websites.

This was stated by Data Protection Expert Ute Bernhardt from the Consumer Center Saxony-Anhalt at the Network Conference Media Competence on October 22, 2019 in Halle (near Leipzig), online magazine reports.

Currently, the VZBV have no further comments regarding the complaint, yet it should concern ePrivacy violations, such as missing consent for accessing/storing cookies on users’ devices as well as failing to inform users of data processing by cookies (Article 12, 13 and 26 of the GDPR).

GDPR Article 12, 13 and 26

Article 12: Transparent information, communication and modalities

Article 13: Information to be provided where personal data are collected from the data subject

Article 26: Joint controllers

Germany tightens the grip on cookies and online tracking

The complaint comes in the wake of the European Court of Justice’s (ECJ) ruling against German online lottery website Planet49. Here the ECJ stated that storing and retrieving cookies requires the user’s active consent.

Link: ECJ ruling against Planet49 – cookies require active consent

However, it’s not the first German clash with tracking cookies.

In April 2019, the DSK (Conference of German Data Protection Authorities) released stricter requirements for the use of cookies and how to collect valid consent.

The authorities made it clear that users shall be provided with a real choice regarding cookies. An ‘OK’ button is not sufficient for collecting valid consent.

Also, tracking may only start after the user has actively given consent (e.g. by accepting cookies). All cookies, tools and scripts must be deactivated until valid consent is obtained.

Bavarian Data Protection Authority to impose fines

According to, the Bavarian Data Protection Authority (BayLDA) meanwhile announces that it will begin issue the first fines against a number of companies.

Earlier this year, the BayLDA investigated 40 company websites’ cookie consent solutions, only to find poor results and lack of compliance to ePrivacy and GDPR.

The authority expects, among other, that websites will collect valid consent if they use tracking tools from third-party providers such as Google’s advertising network (e.g. Google Analytics), or hidden ‘pixels’ such as Facebook Pixel.

Should the affected media not respond to the warning by the VZBV and, for example, sign a declaration of discontinuance, it should come to legal proceedings.

Is your website ePrivacy and GDPR compliant?

Cookie compliance is now top of mind of every company website operator. But is your website compliant with current regulations by national and European bodies?

You can easily test your level of cookie compliance. Cookie Information provides companies with a professional assessment of their website’s GPDR cookie compliance. Completely free.

Test your website here or fill the form in the sidebar (below on mobile).