No Cookies Without Consent
 |  Date  |  Kategorie: GPRS-News

No Cookies Without Consent

GDPR-Series #3 | December 2019

No cookies without consent – what will it mean for companies to implement the ECJ judgment of October 1st, 2019.

The use of cookies on websites is not something data protection authorities only get excited about during the Christmas period. While cookies are a great favourite for lots of people as a snack, the use of cookies on websites is not a pleasurable experience for every website user. The following article takes a look at this topic from the point of view of the privacy and data protection laws and considers what will need to be done to implement the judgment and what it will subsequently mean in terms of effort required by the companies involved.

1 Privacy and data protection - legal requirements and how they are defined by judicial decisions and commentaries

The most important legal requirements relating to privacy and data protection in the processing of the personal data of natural persons can be found in the EU General Data Protection Regulation (GDPR) and in the Federal Data Protection Act (BDSG), which is applicable in Germany. The EU regulation, which came into effect in May 2018, has since been implemented by companies, frequently at considerable cost and effort. Significant new aspects, such as extensive requirements to provide information as specified in Articles 13 and 14 GDPR, for example, had to be taken into consideration and subsequently implemented in company processes with the appropriate documents. As a result of the obligations to provide information, any principles relating to the processing of personal data contained in the GDPR must be brought to the attention of the data subjects prior to the first processing. The provisions of the GDPR are reasonably clear on this. Unfortunately, they are not clear enough to ensure that this aspect would have been taken into account in the information documents required for the processing operations. In the period prior to May 2018 in particular, there was considerable need for interpretation on this and many other aspects, as well as on the level of detail and in other instructions on how this was to be implemented. In addition to the working groups already in place in the various business sectors and groups of companies that have always been concerned with privacy and data protection issues, assistance in interpreting the provisions of the regulation was also made available by the German data protection authorities and, as they became available, commentaries on the law that had since become necessary, followed now by a judicial decision, all of which contribute to the certainty of a more precise implementation. Special judicial decisions, but unfortunately also the fines imposed by data protection authorities, have repeatedly highlighted issues in the "data protection jungle" that require special attention. In the second half of 2019, for instance, these included a fine amounting to well over ten million euros that was imposed on a Berlin residential property company for not deleting data. And since October 2019, we have a clear statement on a data protection issue with the ECJ judgment on the use of cookies.

2 Cookies - Definition

Cookies are data from a website stored in a file on a local computer. They uniquely identify the individual user each time he visits the website using this computer and store information about his browsing habits when he surfs the Internet. This means that between any two of the user’s visits to the website, previous actions taken by the user that are of interest to the website can be stored on a temporary basis. A cookie can also be used to modify HTML pages individually to match the user’s browsing behaviour.

This definition shows that cookies are intended principally to enhance communications between a website user and the website technology. However, it is also possible to use the interaction of the user to send targeted advertising, for instance. Which cookies are to be configured for a specific website and how this is to be done is ultimately determined by the respective operator of the website. Since this decision will have an impact on the website user’s local computer, it is an intrusion into his private sphere. Its influence on the collection, processing and storage of personal data is subject to the regulations governing data protection.

Until now the presence of cookies has been indicated on many websites by a so-called "cookie banner". When a user visits a website for the first time, a banner pops up to inform the user in some degree of detail on the use of cookies, including their acceptance or rejection. There are even websites that allow the user to continue to visit the pages on the website even if all cookies are rejected. More frequently, however, the procedure is that, once the user clicks "Accept", all cookies used by the website will generally be activated. He is not offered a choice. The user will then often discover that the annoying banner still has to be removed from the screen.

3 The ECJ judgement on the use of cookies

Regarding this practice, the ECJ was asked to determine whether the procedure described above was sufficient and lawful within the meaning of the GDPR and other applicable laws.

In its judgement of 1 October 2019, (Case C-673/17), the European Court of Justice handed down a decision on whether a service provider requires the consent of the person visiting the website in order to interfere with his or her private life by placing cookies on a computer and subsequently storing the data that has been collected in this way. The EU ePrivacy Regulation expected for 2020/ 2021, which is also likely to deal with the safeguarding of website content and the use of cookies, has now been postponed as the details require more extensive discussion in the various legislative bodies.

Summarising, the ECJ ruling now contains three important aspects:

3.1. No effective consent has been given if the storage of information or access to information already stored on the website user’s terminal equipment by means of cookies is permitted by way of a preset checkbox, which the user must deselect to refuse to give his consent.

3.2. In interpreting this situation, it makes no difference whether the information stored on or retrieved from the website user’s terminal equipment is personal data or not.

3.3. Information on the duration of the operation of the cookies must be provided, in addition to details as to whether third parties are given access to the information stored in the cookies.

This judgment of the ECJ is expected to be confirmed by the Federal Court of Justice of Germany.

4 Implementation effort in general

Due to the fact that the judgement makes no distinction as to whether cookies process personal data or, as is common practice on many privacy-friendly websites, only process data anonymously, it is clear that all website operators are affected by this judgement. The standard practice to date of taking the so-called balancing of interests (cf. Article 6(1) lit. f GDPR) as the basis for the use of cookies in accordance with privacy and data protection laws cannot be continued. Under no circumstances is the current practice of displaying a cookie banner that merely points out that cookies are being used sufficient, if the user is not given a choice.

Explicit consent must now be obtained from website users in order to place legally compliant cookies on their computers.

For this purpose, it is necessary to inform the user in a transparent manner when he visits a site what cookies are used, what function they have, how long they will be stored and whether third parties will be given access to the data collected in this way. All cookies must be described in detail for this purpose. The user must be given the choice as to whether or not they are to be activated. In the event that cookies, which, for technical reasons, are essential for the operation of the website are rejected, the consequences of rejecting these cookies, namely the negative impact on the usability of this website, must be made clear.

In order to implement these requirements in an acceptable technical manner, the use of a "Consent Management Tool" is recommended. Such a tool is placed upstream of a website.

Figure 1: Example of the access level prompt of a content management tool

It contains information on all the cookies that can be placed on this website and the user decides whether or not he wishes to give his consent to their use. By default, all cookies (except those essential for technical reasons) should be deactivated.

Figure 2: Example of a content management tool with details relating to a cookie

The website operator must know the cookies himself and be able to provide the information necessary for the use of such a tool. Solutions developed in-house are also possible. Nevertheless, it may be hoped that the use of a commercially acquired standard tool will provide greater legal certainty.

Since the requirements have no legal effect pending a corresponding decision by the Federal Court of Justice, it is possible that website operators as a whole are not yet aware of the urgency of their implementation. In reality, however, it is important to make use of the time available now to take all the steps necessary to obtain legally compliant consent for cookies on websites.

In concrete terms, this means:

- Analyse your website for the use of cookies

- Prepare all the information required for cookies

- Choose a content management tool or develop one yourself for your own use