In principle, Internet users must actively consent to the storage of cookies on their computer. In its decision of 28 May 2020, the Federal Court of Justice (BGH) in Germany confirmed the ruling of the European Court of Justice (ECJ) from October 2019.

Website operators under obligation

The ECJ had declared the previously common opt-out procedure for the use of cookies on websites to be inadmissible. This means that website operators are still obliged to ensure the legally compliant implementation of the relevant requirements by means of content tools and cookie banners.

According to the decision of the German BGH (BGH, Urt. v 28.05.2020, Az. I ZR 7/16), website operators must generally obtain the active consent of the users for data processing – this applies to the setting of cookies as well as to advertising and tracking. It is therefore no longer sufficient if users simply do not object to this procedure (opt-out).

A pre-filled consent form in which users have to remove a check mark if they do not wish to use cookies has already been considered inadmissible by the ECJ. No effective consent is given by means of such presettings. According to the ruling of the BGH, this also applies to cookies which, for example, serve to analyse access figures if they are used to create user profiles. Website operators should therefore check the use of cookies and the corresponding guidelines.


The “Cookie Judgement” of the ECJ

The Federation of German Consumer Organisations (vzbv) had brought an action before the ECJ against the German online lottery provider “Planet49”. The lottery provider had obtained advertising consent from the participants, among other things also for setting cookies. The Federal Court of Justice took the “Planet 49 proceedings” as an opportunity to submit various questions to the European Court of Justice, which also have a comprehensive effect beyond this particular case.

In October 2019, the ECJ ruled that pre-set boxes do not constitute effective consent. GDPR requires active action in the context of granting effective consent. Therefore, no effective consent can be derived from “non-action”.

It is irrelevant whether cookies represent personal data. Since the GDPR came into force, this has become all the more important, especially due to the extended scope of the e-Privacy Directive. Furthermore, the user must be provided with information on the “controller” for processing in good faith. In addition to the general data protection declaration, this should also contain information on the identity of the controller(s) and on the purpose for which the data are processed. Necessary information which must be made available to users in connection with the use of cookies is also information on the duration of the function of the cookies and whether “third parties” can gain access to the cookies.

Implementation in national law

According to the European Court of Justice, regulations on the use of cookies must be designed and applied uniformly throughout Europe. Until now, this was not clear, as the EU requirements have not been anchored accordingly in German law. The directive generally provides for an opt-in procedure. However, the German legislator already saw the cookie information obligations implemented in conformity with European law through § 15 Telemediengesetz (TMG). However, the TMG has so far allowed an opt-out solution – in contrast to the corresponding provision of the e-Privacy Directive – as sufficient.

The BGH has now decided that § 15 (3) sentence 1 TMG (e-Privacy) can be interpreted in conformity with the Directive. The consent to “not absolutely necessary” cookies required under Art. 5 para. 3 e-Privacy Directive could be derived from Art. 15 para. 3 sentence 1 TMG. Furthermore, if consent is not given, an objection would automatically exist. Furthermore, the BGH decision states that the interpretation in conformity with the Directive – Section 15 (3) German Telemedia Act in conjunction with Art. 95 DSGVO – is to be applied with priority over the provisions of the DSGVO.
Furthermore, the BGH also followed the other requirements of the ECJ with regard to the questions of whether, when and how the consent of the user must be obtained.

The central question here is whether the storage of information in or access to the terminal device is “absolutely necessary” in order to provide the user with a service he or she desires.

What are the consequences for website operators?

No effective consent is required for all cookies that are absolutely necessary. The “necessary cookies” include those that are in the interest of the user, such as “shopping cart cookies” or “Remember Me cookies”.
For all cookies that are not “absolutely necessary”, an effective consent is required. Users themselves must give their consent by ticking the appropriate box and confirming it. In future, therefore, consent must be obtained from the website operator for all cookies from the areas of tracking, analysis and statistics. A cookie banner must block the cookies before the user has given his or her consent.

In conclusion:

It can be said that the extensive requirements in connection with cookies, tracking and the documentation of consent can be implemented most effectively in practice via so-called content tools in the context of a legally compliant data protection declaration.


Dr. Stefanie Schneider

Dr. Stefanie Schneider

Security Consultant

Stefanie Schneider is a Security Consultant (Data Protection Department) in the “Mastering Risk and Compliance” department of TÜV Rheinland i-sec GmbH. In her function as external data protection officer (eDSB) she advises various companies in the production and service sectors. Stefanie Schneider is a certified company data protection officer (GDDcert EU), PC network specialist and certified MCSE, MCPI and CNA.

More Posts

electric mobility

Electric mobility: charging infrastructure getting more extensive

The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.


Cool title – no applicants? Sorting the good ads from the bad

Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.

Digital trends in 2020: ideas for making businesses more secure

How secure are the smart systems in our homes? How can we ensure that tomorrow’s digital solutions in the logistics, automotive and healthcare industries are secure from cyber attacks?