On cookie diet—marketing, websites, tracking, cookies and privacy protection—notes and recommendations regarding the Planet49 ECJ judgment of 1/10/2019

by ,
Attorney-at-law in Erlangen


We're getting down to the nitty gritty, or addressing the sweet temptation at least. The Planet49 case gave the European Court of Justice a possibility to discuss the question of technical cookies. It decided cookies require consent as long as they are not necessary for the provision of the service—which leaves a bitter aftertaste for the marketing industry. This article outlines the background and need for action.

Yes, I want cookies. - Is everything allowed here?
What are the requirements to use cookies? How to validly ask for consent?

The handling of cookies and similar data storage approaches has been controversial for a long time. The widely spread opinion said that Germany had not implemented European legal requirements well, but many lawyers argued that the situation ultimately led to cookies themselves being permitted in Germany without any significant restrictions and only general privacy requirements applied. This changes with the judgment of the European Court of Justice in the matter of "planet49". The ruling echoes loudly through the office halls of data protectors, lawyers, but also marketing experts—because, in short, it says: no cookies without explicit, clear consent (in many cases, that is).

The verdict concretely provides the following findings:

Conversely, this also means:

Unchanged remains...

Legal proceeding and background

Legal action was initiated by a federal customer protection association, the Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e. V. against the lottery provider planet49 GmbH at the district court of Frankfurt am Main as first instance. In the appeal, the German Federal Court of Justice (BGH, Bundesgerichtshof) dealt with the issue under file number I ZR 7/16 and decided to refer concrete legal questions to the European Court of Justice (German; external link to the website of the Federal Court of Justice)—its decision was published on 1 Oct 2019 (external link to the website of the European Court of Justice). The ruling concerns the question of whether applicable laws differentiate between personal and non-personal data, as well as the concrete requirements for the design of consent and the scope and presentation of the information provided.

Evaluation of the decision

The decision is far from surprising, basically. Other EU countries have had stricter requirements for a long time. It was only a matter of time for the European Court of Justice to decide and to raise the bar of requirements. So far, so good. However, the law governing cookies is outdated and should have been replaced by new provisions at the same time as the GDPR becoming fully effective. But the political process came to a standstill before the law's enactment, so that we now face two applicable laws that were not coordinated with each. We are experiencing serious practical difficulties in not being able to reach political agreement. In many ways, the law is not the best instrument to regulate the issues either—a technical standard of consent that is legally approved would be a superior solution.

The interpretation of the European Court of Justice is, by the way, in line with what the German Data Protection Conference has been advocating for some time and also with what it advocated in its Orientation support for providers of telemedia (Orientierungshilfe für Anbieter von Telemedien, external link to the Data Protection Conference website).

That the topics covered by the ruling can be judged very differently depending on the situation is one of the aspects I deem problematic. The transfer of data to third parties, for example, is very relevant in the context of Third Party Cookies. A solid evaluation could take into account differences between own first-party cookies and sharing data with third parties. Privacy protection is only relevant regarding personal and attributable data but its application is now extended to all data, but legal interpretation is farther-reaching and covers non-personal data, too. At the same time, it does not follow the path all way down. But that's the situation we're facing and we'll have to live with it.

Screenshot of the website of the European Court of Justice with a cookie banner that presumably does not meet the self-imposed requirements
At least my understanding is that the European institutions apply different standards at the time of issuing the judgment. The European Court of Justice writes in its own cookie message simply "We also use statistical analysis tools" and then has a button with the inscription "I have read it" and another under the title "More information", which links to the privacy statement. The way I interpret the judgment, however, is exactly the practice he wants to prohibit website operators from doing. On the other hand, the two-click solution for playing videos is exemplary.

Website operators should critically question their handling of data storage and cookies. This applies in particular to operators of business pages, but also to others. Depending on the situation, the best way may be to avoid cookies and advanced data processing. If cookies are technically necessary to keep the site functional (not to read as: optimized), they are permitted to a certain extent (an individual case check remains necessary). In the future, consent will be required for access statistics - as we have practiced from the outset on our alliance's site, for example.

The request for consent must be clear and requires active, confirmatory action on the part of the user. For example, this could be done by a query as follows:

We would like to know what is important to you. For this purpose, we would like to create pseudonymous statistics about the user behaviour on our website. Please let us know whether you are fine with us using a cookie to re-identify you. [[If data is passed on, please add description, incl. Potential recipients.]]
For further information, please have a look at our privacy policy.
[[Consent button]] [[Rejection button]]

It is of thorough importance that both consent and rejection are possible.

Questions and answers

For the sake of clarity, the questions and answers in a separate document are presented.

Authorities' statements

For all those who wish to obtain information directly from the supervisory authorities, we share the following links to opinions without claiming to be exhaustive. Please note that the authorities also present their own legal opinions—often this is a convincing interpretation, but not necessarily always. Sometimes they just highlight individual aspects and others hardly appear or do not appear at all.


For your convenience, we offer the following documents:

Next steps and our offers

The most important thing now is to see for yourself what you're doing in the context of cookies—and compare that with the new requirements. I, Rechtsanwalt Cevc from Erlangen, advise on IT law and data protection and thus also on these topics, if you would like to clarify border issues or a specific assessment of your individual case.

Disclaimer: This text presents a simplified overview of the topic. It neither constitutes legal advice nor does it replace such advice.