On november 14, 2019, the supervisory authorities of Berlin, Brandenburg, Hamburg, Hesse, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, Saxony, Schleswig-Holstein, Thuringia, Bavaria, and the Federal Commissioner for Data Protection and Freedom of Information issued substantively identical press releases, stating that website operators must obtain user consent for integrated third-party services.
What is the Background?
As early as October 1, 2019, the ECJ ruled in a preliminary ruling procedure that a website operator requires user consent for the storage of or access to information.
Initially, the ECJ's judgment had and continues to have direct implications only for the parties to the proceedings. However, it was expected since then that national supervisory authorities would use this judgment as an opportunity to align their own auditing practices accordingly. This has now occurred.
How Have the Supervisory Authorities Positioned Themselves?
The supervisory authorities have stated that third-party services integrated into websites can only be legally operated for proprietary purposes if user consent is obtained. Google Analytics is an example of such a service.
Website operators should therefore audit their websites for third-party content and tracking mechanisms. The supervisory authorities' position is both explicit and severe:
Any party utilizing features that necessitate consent must either acquire said consent or remove the feature. Consent is only valid if users provide explicit and informed agreement.
The supervisory authorities further assert that many website operators, through commonly deployed “cookie banners,” imply that continued browsing on the website signifies consent through conclusive action. According to the supervisory authorities, “cookie banners” of this nature are unlawful under data protection law! Moreover, pre-ticked boxes in consent declarations are also impermissible. The latter, inter alia, formed the basis of the ECJ's decision of October 1, 2019.
What issues have the supervisory authorities not addressed?
Regrettably for website operators, the supervisory authorities have not yet clarified their stance on whether technically essential cookies require consent. Based on the ECJ's decision of October 1, 2019, even technically necessary cookies are subject to consent requirements.
Conversely, the guidance for telemedia providers issued by the Conference of Independent Data Protection Supervisory Authorities in March 2019 states that the use of cookies is not inherently subject to consent (p. 9 of the guidance). Therefore, a definitive position from the supervisory authorities on technically necessary cookies would be both desirable and essential.
Do the authorities also provide solutions?
The guidance for telemedia providers, published by the Conference of Independent Data Protection Supervisory Authorities in March 2019 (Download), enables website operators to ascertain the conditions under which tracking of website visitors is permissible.
However, the supervisory authorities explicitly stress that older publications, such as those concerning Google Analytics, are no longer applicable due to significant changes in the legal landscape and processing methodologies.
Source:
https://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/2019/26_WebtrackingEinwilligung.html
GoldbergUllrich Attorneys at Law 2019
Julius Oberste-Dommes LL.M. (Information Law)
Lawyer and specialist attorney for information technology law
