Since the decision of the Federal Court of Justice (BGH) of May 28, 2020 (Case No. I ZR 7/16 – Cookie Consent II), the topics of cookies and consent have once again become highly topical for website and webshop operators. The BGH affirmed that cookies for advertising or market research purposes may only be used with the explicit consent of the user. This decision came as no surprise.
Of greater interest to the affected website operators is how they can implement the obligation established by the BGH.
For this purpose, many website operators employ so-called cookie banners. In this article, we outline the most common errors or misconceptions related to cookie banners:
What should a cookie banner look like? What information must be provided?
For quite some time now, website operators have been using so-called cookie notices. These cookie notices merely inform that cookies are (already) being used. These cookie notices frequently contain buttons such as "OK," "Agree," or simply "Close." Users cannot control the use of cookies by the website operator via these cookie notices, let alone consent to their use.
For this reason, such cookie notices do not meet the requirements of the BGH.
Is consent required for every cookie?
The answer is clear: NO!
For the deployment of technically necessary cookies, user consent is not required. You are permitted to deploy these cookies without restriction. Unfortunately, there is no clear definition of what falls under the term "technically necessary." Cookies are likely considered technically necessary if they are essential for the operation of the website and its core functionalities. Shopping cart cookies, cookies for language selection control, or login cookies are conceivable examples of technically necessary cookies.
However, caution is advised: Website operators should not attempt to simply declare advertising cookies as technically necessary and thereby avoid obtaining consent for them. This practice is unlawful and, furthermore, easily detectable. Therefore, it is strongly advised to refrain from such actions.
Are only advertising cookies concerned?
While the decision of the Federal Court of Justice (BGH) might suggest otherwise, user consent is not solely required for the use of advertising cookies.
Ultimately, users must consent to the use of any cookies or tools that either process their personal data or enable inferences about them.
As the safest approach, you should therefore obtain user consent for all cookies or tools that are not essential for the operation of your website, such as for the deployment of Google Maps, YouTube plugins, web fonts, geolocation services, or tracking tools.
When may advertising cookies begin their activity?
A cookie banner is entirely ineffective if advertising cookies are set before user consent is obtained. You must therefore technically ensure that data processing by technically non-essential cookies or similar tools only commences after the user has consented to their use.
Furthermore, do not attempt to circumvent these regulations. With freely available browser extensions such as Ghostery, uBlock, and Adblock Plus, it is quick and easy to determine which cookies or tools are being deployed (even before consent is given).
What considerations apply to the visual presentation of the cookie banner?
Cookie banners appear to users in a variety of visual designs and screen positions.
However, you must ensure that the cookie banner does not obscure access to your 'Impressum' (legal notice) or your privacy policy. Failure to do so would mean you do not comply with your obligation under Section 5 (1) TMG to make the aforementioned information easily accessible.
It is therefore advisable to include links to your Impressum and your privacy policy within the cookie banner.
Are you required to provide users with an option to withdraw consent?
The answer is: YES!
According to Art. 7 para. 3 p. 1 GDPR, users can withdraw their consent at any time. Pursuant to Art. 7 para. 3 p. 4 GDPR, withdrawal must be as straightforward as giving consent. In other words: If users can grant their consent with a single click, they must also be able to withdraw it with a single click.
Cookie banners technically provide for this withdrawal option. However, you must technically ensure that users can access the cookie settings of the cookie banner at any time and exercise their right of withdrawal. Many website operators include a corresponding link in the footer of their website for this purpose. We recommend this practice to all website operators.
Finally, you must also ensure that, following a withdrawal of consent, the respective cookies or tools cease to process data.
Special Topic: Invalidity of the EU-US Privacy Shield
The aforementioned guidelines regarding the use of cookie banners only pertain to the necessary consent under Art. 6 para. 1 lit. a), 7 GDPR.
You must additionally consider whether and, if applicable, to which country outside the EU or the European Economic Area the user's personal data is transferred.
Following the decision of the ECJ of July 16, 2020 (Case C-311/18), which is presumably known to almost all website operators, the EU-US Privacy Shield is invalid. This instrument can no longer be relied upon for data transfers to the USA. Such transfers are now only possible, if at all, through the use of so-called Standard Contractual Clauses. However, German supervisory authorities also view this practice critically for transfers to the USA (see the statement by the Conference of Independent Data Protection Supervisory Authorities of the Federation and the States from July 28, 2020).
Due to the high legal uncertainty regarding the transfer of personal data to the USA, it is advisable for website operators to refrain from using software from US providers where possible and to switch to service providers from Europe, specifically those offering data processing within Europe.
As is often the case, the devil is in the details when it comes to data protection matters. We are pleased to offer our services as consultants across the entire spectrum of IT/IP and data protection law to ensure that your web presence becomes or remains compliant with data protection regulations.
GoldbergUllrich Attorneys at Law 2020
Julius Oberste-Dommes LL.M. (Information Law)
Attorney-at-Law and
Specialist Attorney for Information Technology Law
