On cookie diet—marketing, websites, tracking, cookies and privacy protection—notes and recommendations regarding the Planet49 ECJ judgment of 1/10/2019
We're getting down to the nitty gritty, or addressing the sweet temptation at least. The Planet49 case gave the European Court of Justice a possibility to discuss the question of technical cookies. It decided cookies require consent as long as they are not necessary for the provision of the service—which leaves a bitter aftertaste for the marketing industry. This article outlines the background and need for action.
Updated legal evaluation
The handling of cookies and similar data storage approaches has been controversial for a long time. The widely spread opinion said that Germany had not implemented European legal requirements well, but many lawyers argued that the situation ultimately led to cookies themselves being permitted in Germany without any significant restrictions and only general privacy requirements applied. This changes with the judgment of the European Court of Justice in the matter of "planet49". The ruling echoes loudly through the office halls of data protectors, lawyers, but also marketing experts—because, in short, it says: no cookies without explicit, clear consent (in many cases, that is).
The verdict concretely provides the following findings:
- The legal framework is such that the use of technically unnecessary cookies requires consent.
- Consent requires active action on the part of the respective user, for the relevant case and in a concrete and explicit manner.
- Furthermore, consent is only sufficiently informed if the users can obtain concrete information about the purpose, scope and duration of the storage.
Conversely, this also means:
- The previous practice of showing a pure information banner or even only providing information in the data protection declaration is not permissible.
- ...the evaluation of technically necessary cookies and similar storage (more on this below and in the questions and answers).
Legal proceeding and background
Legal action was initiated by a federal customer protection association, the Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e. V. against the lottery provider planet49 GmbH at the district court of Frankfurt am Main as first instance. In the appeal, the German Federal Court of Justice (BGH, Bundesgerichtshof) dealt with the issue under file number I ZR 7/16 and decided to refer concrete legal questions to the European Court of Justice (German; external link to the website of the Federal Court of Justice)—its decision was published on 1 Oct 2019 (external link to the website of the European Court of Justice). The ruling concerns the question of whether applicable laws differentiate between personal and non-personal data, as well as the concrete requirements for the design of consent and the scope and presentation of the information provided.
Evaluation of the decision
The decision is far from surprising, basically. Other EU countries have had stricter requirements for a long time. It was only a matter of time for the European Court of Justice to decide and to raise the bar of requirements. So far, so good. However, the law governing cookies is outdated and should have been replaced by new provisions at the same time as the GDPR becoming fully effective. But the political process came to a standstill before the law's enactment, so that we now face two applicable laws that were not coordinated with each. We are experiencing serious practical difficulties in not being able to reach political agreement. In many ways, the law is not the best instrument to regulate the issues either—a technical standard of consent that is legally approved would be a superior solution.
The interpretation of the European Court of Justice is, by the way, in line with what the German Data Protection Conference has been advocating for some time and also with what it advocated in its Orientation support for providers of telemedia (Orientierungshilfe für Anbieter von Telemedien, external link to the Data Protection Conference website).
That the topics covered by the ruling can be judged very differently depending on the situation is one of the aspects I deem problematic. The transfer of data to third parties, for example, is very relevant in the context of Third Party Cookies. A solid evaluation could take into account differences between own first-party cookies and sharing data with third parties. Privacy protection is only relevant regarding personal and attributable data but its application is now extended to all data, but legal interpretation is farther-reaching and covers non-personal data, too. At the same time, it does not follow the path all way down. But that's the situation we're facing and we'll have to live with it.
Website operators should critically question their handling of data storage and cookies. This applies in particular to operators of business pages, but also to others. Depending on the situation, the best way may be to avoid cookies and advanced data processing. If cookies are technically necessary to keep the site functional (not to read as: optimized), they are permitted to a certain extent (an individual case check remains necessary). In the future, consent will be required for access statistics - as we have practiced from the outset on our alliance's site, for example.
The request for consent must be clear and requires active, confirmatory action on the part of the user. For example, this could be done by a query as follows:
We would like to know what is important to you. For this purpose, we would like to create pseudonymous statistics about the user behaviour on our website. Please let us know whether you are fine with us using a cookie to re-identify you. [[If data is passed on, please add description, incl. Potential recipients.]]
[[Consent button]] [[Rejection button]]
It is of thorough importance that both consent and rejection are possible.
Questions and answers
For the sake of clarity, the questions and answers in a separate document are presented.
- How to implement cookie consent correctly?
- Are classic cookie banners now pointless?
- May we have suppose acceptance when surfing the site or use a timer for the approval? How to give consent?
- May the declarations be prefilled, e.g. check mark already set?
- Who is affected?
- What if we do not process personal data?
- Are there any exceptions? What about cookies necessary to providing the service?
- Can I use other technologies instead of cookies, such as profiling?
- What do I need to explain to users?
- Why now? What do all the different laws have to do with each other?
- Do we not have an applicable German exception?
- May consent be coupled with other consent?
For all those who wish to obtain information directly from the supervisory authorities, we share the following links to opinions without claiming to be exhaustive. Please note that the authorities also present their own legal opinions—often this is a convincing interpretation, but not necessarily always. Sometimes they just highlight individual aspects and others hardly appear or do not appear at all.
- Data Protection Conference (Conference of Independent Federal and State Data Protection Supervisory Authorities)
Guidance by the supervisory authorities for providers of telemedia (German; external link, opens new tab)
- State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
FAQ about Cookies and Tracking (German; external link, opens new tab)
- The Hamburg Commissioner for Data Protection and Freedom of Information
Cookies also require consent in Germany (German; external link, opens new tab)
For your convenience, we offer the following documents:
- A short summary in the form of preliminary questions and concrete steps to be taken
- A table for the preparation of the admissibility check and the facts relevant for the user information
Next steps and our offers
The most important thing now is to see for yourself what you're doing in the context of cookies—and compare that with the new requirements. I, Rechtsanwalt Cevc from Erlangen, advise on IT law and data protection and thus also on these topics, if you would like to clarify border issues or a specific assessment of your individual case.
Disclaimer: This text presents a simplified overview of the topic. It neither constitutes legal advice nor does it replace such advice.