At 14.11.2019, the supervisory authorities of Berlin, Brandenburg, Hamburg, Hesse, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, Saxony, Schleswig-Holstein, Thuringia, Bavaria and the Federal Commissioner for Data Protection and the Federal Commissioner for Data Protection and Freedom of Information that website operators must obtain the user's consent for integrated third consent of the user for integrated third-party services.
What is the background?
Already on 01.10.2019, the ECJ has ruled in a preliminary ruling that a website operator is liable for the information or access to information requires the consent of the user. the consent of the user.
The ruling of the ECJ has had and continues to have direct effects ECJ initially only for the litigants. Since then, however, it was to be expected expected that the national supervisory authorities would take this judgement as an opportunity to their own examination practice. This has now happened.
How have the supervisory authorities positioned themselves?
The supervisory authorities state that third-party services services integrated into websites can only be legally operated for their own purposes only if the consent of the user is obtained. Among Google Analytics, for example, is one such service.
Website operators should therefore check their website for third party content and tracking mechanisms. The tenor of the supervisory authorities is as clear as it is drastic:
Anyone who uses functions that require consent, must either obtain consent or remove the function. Consent is only effective if the users give their clearly and informedly consent.
The supervisory authorities go even further: many website operators communicate through frequently used "cookie banners" that that simply continuing to surf on the website is consent by conclusive behaviour. behaviour. In the opinion of the supervisory authorities, "cookie banners" of this kind are inadmissible under data protection law! Finally, pre-checked boxes in consent forms are also inadmissible. declarations of consent. The latter were, among other things, the subject of the decision of the ECJ of 01.10.2019.
What have the supervisory authorities not positioned themselves to do?
From the point of view of website operators, it is unfortunate that the Unfortunately, the supervisory authorities have not taken a position on the subject of technically necessary cookies. According to the wording of the decision of the ECJ of 01.10.2019, technically necessary cookies are also also require consent.
According to the Guidance for Telemedia Providers of the Conference of Independent Data Protection Supervisory Authorities from March 2019, the use of cookies does not require consent per se (p. 9 of the guidance). consent is required (p. 9 of the guidance). A positioning of the authorities on the subject of technically necessary cookies would therefore be desirable and also necessary.
Do the authorities alsooffersolutions?
With the guidance for telemedia providers from the Conference of Independent Data Protection Authorities from March 2019(download) website operators can find out under which conditions tracking of website tracking of website visitors is permissible.
However, the supervisory authorities expressly emphasise, that older publications by the supervisory authorities, for example on the subject of Google Analytics, no longer apply. Analytics, no longer apply, as the legal situation and the processing processing procedures have changed significantly.
Source:
https://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/2019/26_WebtrackingEinwilligung.html
GoldbergUllrich Attorneys at Law 2019
Julius Oberste-Dommes LL.M. (Information Law)
Lawyer and specialist attorney for information technology law
