In principle, Internet users must actively consent to the storage of cookies on their computer. In its decision of 28 May 2020, the Federal Court of Justice (BGH) in Germany confirmed the ruling of the European Court of Justice (ECJ) from October 2019.
Website operators under obligation
According to the decision of the German BGH (BGH, Urt. v 28.05.2020, Az. I ZR 7/16), website operators must generally obtain the active consent of the users for data processing – this applies to the setting of cookies as well as to advertising and tracking. It is therefore no longer sufficient if users simply do not object to this procedure (opt-out).
The “Cookie Judgement” of the ECJ
The Federation of German Consumer Organisations (vzbv) had brought an action before the ECJ against the German online lottery provider “Planet49”. The lottery provider had obtained advertising consent from the participants, among other things also for setting cookies. The Federal Court of Justice took the “Planet 49 proceedings” as an opportunity to submit various questions to the European Court of Justice, which also have a comprehensive effect beyond this particular case.
In October 2019, the ECJ ruled that pre-set boxes do not constitute effective consent. GDPR requires active action in the context of granting effective consent. Therefore, no effective consent can be derived from “non-action”.
Implementation in national law
The BGH has now decided that § 15 (3) sentence 1 TMG (e-Privacy) can be interpreted in conformity with the Directive. The consent to “not absolutely necessary” cookies required under Art. 5 para. 3 e-Privacy Directive could be derived from Art. 15 para. 3 sentence 1 TMG. Furthermore, if consent is not given, an objection would automatically exist. Furthermore, the BGH decision states that the interpretation in conformity with the Directive – Section 15 (3) German Telemedia Act in conjunction with Art. 95 DSGVO – is to be applied with priority over the provisions of the DSGVO.
Furthermore, the BGH also followed the other requirements of the ECJ with regard to the questions of whether, when and how the consent of the user must be obtained.
The central question here is whether the storage of information in or access to the terminal device is “absolutely necessary” in order to provide the user with a service he or she desires.
What are the consequences for website operators?
No effective consent is required for all cookies that are absolutely necessary. The “necessary cookies” include those that are in the interest of the user, such as “shopping cart cookies” or “Remember Me cookies”.
For all cookies that are not “absolutely necessary”, an effective consent is required. Users themselves must give their consent by ticking the appropriate box and confirming it. In future, therefore, consent must be obtained from the website operator for all cookies from the areas of tracking, analysis and statistics. A cookie banner must block the cookies before the user has given his or her consent.
It can be said that the extensive requirements in connection with cookies, tracking and the documentation of consent can be implemented most effectively in practice via so-called content tools in the context of a legally compliant data protection declaration.
Dr. Stefanie Schneider
Electric mobility: charging infrastructure getting more extensive
The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.
Cool title – no applicants? Sorting the good ads from the bad
Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.