Go back to menu

German cookies set to crumble as data protection authorities intend to audit websites of media companies

Informed consent, TMG and GDPR

03 September 2020

The data protection authority of Baden Württemberg has announced that it will be carrying out comprehensive audits of websites. In a first step, the data protection authority of Baden Württemberg together with other German data protection authorities (referred to together as the "German Data Protection Authorities") plans to review highly frequented media company websites. In this context, particular attention shall be paid to the use of tracking technologies as the methods of obtaining consent are often insufficient in consideration of data protection law requirements.

Online advertising is a key source of income for a wide range of online services. Cookies and similar technologies allow multiple stakeholders to track website visitors across different websites. Information gathered on the surfing behaviour of website visitors can be analysed in order to build extensive profiles about website visitors' interests and subsequently provide them with tailored advertising. The German Data Privacy Conference (Datenschutzkonferenz, "DSK") – a panel of independent German federal and state supervisory data protection authorities – has published guidance in which it states that the General Data Protection Regulation ("GDPR") applies to the use of cookies that track usage behaviour on other websites due to the fact that Directive 2002/58/EC, as amended by Directive 2009/136/EC, ("ePrivacy Directive") was not properly implemented into German law. Legislators at the time took the view that relevant provisions already existing within the German Telemedia Act (Telemediengesetz -'TMG'), were sufficient to implement Article 5(3) of the ePrivacy Directive.

In its guidance, the DSK further points out that prior consent of the respective website visitor is usually required for the use of tracking mechanisms that make the internet behaviour of website visitors traceable. In particular, the integration of third party elements (e.g. third party cookies) which entitle the respective third party to collect information about the website visitor and to combine such information with data from other sources in order to build comprehensive user profiles requires the prior consent of the respective website visitor.

German Federal Court of Justice rules on cookie consent

Unlike the DSK, the German Federal Court of Justice (Bundesgerichtshof, "BGH") took the view in a decision dated 28 May 2020 (Az. I ZR 7/16) that the TMG does apply to the use of cookies. However, the BGH also made it clear that the TMG needs to be interpreted in accordance with Article 5(3) of the ePrivacy Directive.

In its decision, which followed a judgement of the Court of Justice of the European Union ("CJEU") in case C‑673/17 (Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH), the BGH further pointed out that informed consent within the meaning of the GDPR in the form of a declaration or other unambiguous and affirmative action must be obtained prior to data processing (e.g. before cookies are placed), irrespective of whether the information stored in the cookie contains personal data or not. An exception to this consent requirement may only exist in cases where the cookie is strictly necessary for the provision of services. Unfortunately, the decision of the BGH provides no further guidance as to the categories of cookies to which this exception applies.

Valid consent requires an unambiguous and affirmative action by an informed data subject

The judgement of the BGH demands consent in the form of a declaration or other clearly confirmatory action. Such unambiguous and affirmative action requires the website visitor at least to actively tick a checkbox, whereas consent given in the form of a preselected tick in a checkbox does not constitute valid consent. A checkbox pre-ticked by the website provider which the website visitor must deselect to refuse his or her consent carries the risk that the website visitor would not have read the information accompanying the preselected checkbox, or might not even have noticed the checkbox, before continuing with his or her activity on the website visited.[See our article: Pre-ticked boxes are not valid forms of consent under the GDPR]

In addition, valid consent requires the prior provision of clear and comprehensive information as to the tracking activities. This means that the respective website visitors must be put in a position wherefrom they can easily determine the consequences of any consent that they might give. Such information must be sufficiently detailed so as to enable the website visitor to comprehend the functioning of the cookies. The CJEU declared that the website visitor must be informed of:

  • the cookies' lifespan; and
  • whether third parties will have access to these cookies.

In addition to the information explicitly requested by the CJEU, the information should also include details of:

  • the nature of the data processed;
  • the nature of the cookies used;
  • the purposes of their use;
  • how website visitors may accept all or part of the cookies; and
  • how website visitors can change their cookie options in the future.
Cross-border data transfers in light of the Schrems II judgment

Due to the recent CJEU judgement in the case C-311/18 (Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems), it is very likely that the German Data Protection Authorities will also examine if and how personal data will be transferred to third countries outside the European Economic Area ("EEA"), since the CJEU has explicitly highlighted the duty of data protection authorities to take action. According to the decision of the CJEU, the EU-US Privacy Shield programme does not constitute a lawful basis for the transfer of personal data to the USA. Moreover, although other legal instruments such as the commonly used Standard Contractual Clauses ("SCCs") can still be used to justify international data transfers, the CJEU pointed out that a data exporter is obliged to assess, prior to any transfer based on SCCs, whether an appropriate level of protection is respected in the third country concerned or whether supplementary measures can be implemented to guarantee such an appropriate level of protection. If a data exporter, following such an assessment, comes to the conclusion that (taking into account the circumstances of the transfer and possible supplementary measures) an adequate level of protection cannot be ensured, it is required to suspend or end the transfer of personal data.

The European Data Protection Board has published a first set of responses in the form of FAQs in which it expresses the opinion that this also applies to the transfer of personal data based on Binding Corporate Rules. [See our article: EDPB issues initial guidance for cross-border data transfers in wake of Schrems II judgment] Therefore, companies should immediately check whether they have integrations of third parties in their websites which forward data relating to each visitor on to third countries outside the EEA. In the absence of an adequacy decision, such data transfers should immediately be suspended unless they can be based on safeguards identified under Article 46 GDPR, such as the SCCs. In this case, however, it is crucial to assess whether the legal environment in the third country allows for an appropriate level of protection or whether supplementary measures can be implemented to guarantee such an appropriate level of protection. Both the results of such a risk assessment and the supplementary measures taken should be documented in order to be able to demonstrate compliance with the requirements described above. [See Also: Schrems II Tracker: Regulatory Responses from Europe and the US]

Looking to the future

Even though the announced audits target media companies, the press release leaves no doubt that other branches of companies could be subject to audits in the near future as well. This shows that the grace period for the implementation of the GDPR has finally come to an end and that companies should be prepared to prove their GDPR compliance. Recently imposed fines demonstrate that German Data Protection Authorities will not hold back in using the legal sanctions provided by the GDPR. Due to the fact that non-compliance can lead to fines up to EUR 20 million or 4% of the annual global turnover, companies should take immediate action to mitigate any risks resulting from non-compliance of their websites