Cookies & Co. before the de facto end?

New guidance from the Data Protection Conference (DSK) and upcoming ECJ decision on cookies.

Photo credits: nanuvision – fotolia.com

There has long been discussion as to whether the use of cookies and other technologies for the purposes of web analysis, tracking and individualised advertising requires the active consent of those concerned or whether this can also be based on a legitimate interest. Both the Advocate General at the ECJ and the German Data Protection Conference (DSK) have recently commented on this question. Both statements essentially argue that a consent is required and that a legitimate interest should no longer be sufficient in the vast majority of cases.

So far, in the German practice, consent has frequently not been obtained with reference to Section 15 (3) of the German Telemedia Act (TMG) and an opt-out solution has been practiced. Alternatively, so-called cookie consent banners are frequently used, which attempt to derive consent from the fact that the person concerned does not actively object.

Dispute before the European Court of Justice

Planet49 GmbH and the Bundesverband der Verbraucherzentralen e.V. (Federation of German Consumer Organisations) (Rs C-673/17) are in dispute before the European Court of Justice as to whether it is necessary to obtain active consent for the use of cookies.

On 21 March 2019, the Opinion of Advocate General Maciej Szpunar on the aforementioned matter gave a foretaste of the possible decision of the ECJ. The Advocate General stated that the ePrivacy Regulation and the GDPR require service providers to obtain consent for the use of cookies. However, this consent could not be obtained through a pre-selected checkbox. In addition, users would have to be informed about the function duration of cookies as well as whether third parties have access to the cookies (so-called third party cookies).

The opinion of the Advocate General is of particular importance since the ECJ - at least so far - generally follows the Opinion of the Advocate General. The consequence of such a decision would be that in any new dispute on the cookie issue the national courts would have to take into account the case law of the ECJ.

Guideline of theGerman Data Protection Conference (DSK)

Against this background, the guideline for providers of telemedia services (in German only) published on 5 April 2019 by the Data Protection Conference (DSK), in which the Conference of the Federal and State Data Protection Supervisory Authorities express their views on the question of consent for cookies, among other things, is particularly relevant. Also from the point of view of the DSK, an opt-out procedure for consent against the background of recital 32 GDPR is not sufficient. The Supervisory Authorities even expressly demand that when the website is opened in the cookie banner, all processing operations requiring consent must be explained and activated via a selection menu, stating the actors involved and their functions. In addition, they make it clear that the selection options must not be “activated” by default. While the banner is displayed, all further scripts of a website or web app that potentially collect user data should be blocked by technical measures. Only with active consent may data processing actually begin.

In its paper, the DSK also commented on and rejected the question of the applicability of the data protection provisions of the TMG since the GDPR came into force. In principle, these provisions could only apply alongside the GDPR if they were transpositions of the ePrivacy Directive (2002/58/EC). DSK does not see the prerequisites for this as given.

In its guideline, DSK makes extensive execution a legitimate interest pursuant to Art. 6 (1) lit. f) GDPR. The Supervisory Authorities do acknowledge that there may be a legitimate interest, for example, in a range measurement or in statistical analyses. In the context of weighing up the rights of the data subjects, however, they attach great importance to the latter. As criteria for weighing interests, the Supervisory Authorities take into account, among other things, reasonable expectations of the persons concerned and transparency, possibilities of intervention by the person concerned, concatenation of data, actors involved, duration of observation, group of persons concerned, data categories and extent of data processing, and emphasise that the respective recitals of the GDPR should be used in this respect.

As a concrete example of range measurement, it is cited that the weighing of interests in favour of the website operator responsible would fail if only statistical data were used for the measurement and no extensive profiling and transfer of data to third parties took place, as this would then be foreseeable for the user. As regards the weighing of interests when using tracking pixels of social networks, DSK explains in detail that the rights of the data subjects outweigh the interests of the website operators, since the average user of social networks is not aware of the profile formation by the operators through the integration of “invisible” pixels, has no possibility to object and usage data is stored over a longer period of time for profile formation.

Opinion

In our opinion, the views of the Advocate General and the DSK are extremely strict and the implementation of all requirements for the design of the telemedia services is often impractical. However, the implementation brings more clarity to the long-standing discussion, especially with regard to the relationship between the GDPR and the TMG. It is therefore very important for website operators and other providers of telemedia to consider the views of the supervisory authorities and take these into account when designing the website / web app.

The criteria for the weighing of interests cited by the supervisory authorities enable both the providers of telemedia services and the developers of applications for measuring reach, analysing user behaviour or taxing advertising to evaluate their services on the basis of the criteria established, to make adjustments if necessary or to document their own arguments for a different outcome to the weighing of interests. The question of the admissibility of the use of cookies & co. will remain an individual case decision. We do not expect the ePrivacy Regulation to provide any new impetus in the short term. Even if the European Council were to announce its position on the points at issue in June, the elections and the subsequent Trilogue will prevent a rapid agreement and application of the ePrivacy Regulation.

Practical tip:

In the light of the opinion of the Advocate General and the guideline provided by the DSK, we expect that more differentiated solutions for consent will be required in the short term. A blanket “By using the site, you agree to all cookies” will no longer be sufficient (if it ever has been). We therefore recommend to check the use of cookies and tracking techniques and to adjust to the fact that active user consent will be required much more frequently than before. It is also likely that the information texts will have to be revised in order to create the required transparency. Both free and paid tools offering active Consent Management are available on the market. Many of these tools allow you to launch the website with cookies disabled and simple consent settings.