Cookies without Consent
BGH decided on 28 May 2020 (re I ZR 7/16 - „Planet49“) on the question whether German law requires website operators to request permission from visitors for setting cookies (opt-in) or whether an approval may be assumed and the visitor may subsequently deny the cookie placing (opt-out).
Cookies in Conflict with TMG and ePrivacy Directive
The reason for the present legal dispute is the contradiction between the German Telemedia Act and the ePrivacy Directive. Directives are European legal acts that must be implemented into national law by the Member States. In contrast to the ePrivacy Directive, §12 I TMG, as the German implementation law, only covers personal data. In addition, §15 III TMG allows service providers to create user profiles when using pseudonyms for the purposes of advertising, market research or for the needs-tailored design of the service provided the user does not object to this. Such an “opt-out” mechanism is not in line with the ePrivacy Directive nor the GDPR, as it follows from the Directive that the user must expressly consent to cookie use (through an opt-in).
With today's ruling, the German Federal Court of Justice has clarified that §15 III TMG, despite its contradictory wording, must be interpreted in conformity with the Directive, resulting that the user must expressly consent to the storage of non-functional cookies (opt-in).
Websites are to Allow to Opt-in for Cookies
As a result, website operators can no longer rely on the fact that it would be possible to set cookies in Germany solely based on their legitimate interests. It is now necessary to obtain the consent of the website user for the setting of non-functional cookies (opt-in). This was previously at least justifiable with reference to the earlier statements of the German supervisory authorities and the wording of the regulations in the Telemedia Act.
Failing to comply with these new requirements bears the risk that competitors or consumer associations may issue admonishments with fines to website operators if they continue to use the (latest really now) illegal opt-out procedure. Furthermore, the supervisory authorities are likely to take a closer look at some websites based on this ruling, whether unsolicited or following a complaint by a data subject. In ongoing proceedings, it must be carefully reviewed whether the reasoning vis-à-vis the supervisory authority may need to be adjusted.
As the implementation of these new requirements are easily visible (and technically identifiable) on the website, non-compliance bears a high risk of cease-and-desist and supervisory admonishments.
Based on the above ruling, it is now required that the "active" consent is obtained. Website operators should check whether they still set cookies relying on the opt-out procedure. If this is the case, operators should switch the setting of cookies to an opt-in procedure, i.e. obtain consent of the website user before setting a non-functional cookie. This consent must be explicit and cannot be given by pre-checking a box for “automatic” approval but requires the visitor to tick the box or press a slide switch – for example.