WHAT THE COOKIE!?
on 02.12.2019 by Dr. Ramona Greiner, Dr. Thomas Helbing
In their search for a legally compliant web tracking solution, many companies lose themselves in the jungle of terms and different interpretations and wish for only one thing above all: legal security – definite clarity as to what is possible with tracking and what is not.
Unfortunately, the legal situation is still not quite clear on many points. To make matters worse, two legal issues are repeatedly mixed up and confused: On the one hand the cookie regulations, on the other hand the regulations for the protection of personally identifiable information (PII) – also referred to as personal data. In the following we provide you with clarity on the current state of affairs – in cooperation with our specialist lawyer for IT law Dr. Thomas Helbing (www.thomashelbing.com).
Cookies: What the ECJ has decided (and what not)
- The cookie requirements have so far been regulated in an EU Directive (Directive 2002/58/EC amended by 2009/136/EC). An EU directive does not bind citizens or companies in the EU, rather it obliges the Federal Republic of Germany to enact the relevant laws so that the directive applies in Germany.
- Uncertainty already prevails on this point: whether and to what extent Germany has implemented the cookie specifications in national law is extremely controversial. Some see the Telemediengesetz (TMG) as an implementation of the cookie specifications. However, one can certainly doubt whether the cookie requirements in Germany must be complied with at all, because the Federal Court of Justice still has to decide on this. Outcome open.
- The requirements detailed in the Directive apply to all information stored in or retrieved from the user’s device, regardless of whether these can be assigned to a person or not.
- The user must always be informed about cookies.
In addition, consent is always required for the setting or reading of cookies, unless the cookie is…
a) … required to ensure data transmission
b) … “strictly necessary” for the provision of a service which the user “expressly requests”.
The ECJ ruling and the recent developments:
In its decision on Planet49 , the ECJ ruled that in order to consent, the user must be given a range of information and, above all, that consent must be given actively. A pre-filled check mark is not sufficient, nor is an implicit consent according to the motto “You consent by using our website, clicking on the website, scrolling down etc.”.
The ECJ has not decided which cookies require consent. This is often misrepresented in the treatment of the judgment, even by data protection authorities and lawyers.
On the safe side are those who behave as if the Cookie Directive applies directly in Germany, because the data protection authorities and possibly also the BGH may transfer the assessments from the Cookie Directive into the scope of data protection law, as described in more detail below.
The protection of personal data – and what this has to do with cookies
The provisions on the protection of personal data are regulated in the General Data Protection Regulation (GDPR) – an EU regulation. Regulations apply directly in all EU member states, so there is no need for national laws to implement them.
The GDPR requirements must be observed when “personal data” is “processed”.
Cookies can be used to process personal data, but do not have to.
If, for example, the provider of a website merely sets a cookie for the user that contains a random set of numbers and the user repeatedly calls up individual pages of the provider, the provider could, for example, track how a visitor moves through his website (e.g. which pages he visits, how long he stays there and when he last visited). The provider can also collect data about the end device, such as screen resolution or operating system. This data is not stored in the user’s end device, but on the provider’s servers. The data in the cookie is only used to recognize the individual user.
Whether the visitor behavior data is a processing of “personal data” depends on whether the website operator can identify the user (not whether he actually does). If the data can be used to extrapolate a user’s identity with some effort the data is deemed as personal data.
Examples of personal data:
As the website operator often also stores the IP address of the user or could do so, he could possibly access the identity of the user via this IP address, e.g: Users post insults on websites, website operators file criminal charges, investigating authorities ask Telekom for connection data, website operators inspect files and gain access to the information of the connection holder via this information. In another decision, the European Court of Justice allowed this “chain” to suffice for a personal reference, at least if the IP address is also used to combat abuse.
If the website operator offers a contact form or a newsletter subscription somewhere on its website, he could link the names or e-mail addresses entered with the data collected using cookies (page visits). This would also make it possible to personally identify individuals. It is sufficient that a link could easily be made, even if it is not actually made or intended to be made by the website operator. It is also sufficient if only very few site visitors are personally identifiable in this manner.
Why PII and cookies usually belong together:
For the most part, it must be assumed that the information obtained by means of cookies and the information stored in the cookie are themselves personally identifiable and are therefore subject to the GDPR requirements.
In addition to the cookie requirements, the GDPR requirements must also be observed in most cases.
The GDPR firstly requires that data processing be explained (Art. 13, 14, 21 GDPR), e.g. which data is collected for which purposes, to whom and when it is passed on and deleted (data protection information).
According to Art. 6 of the GDPR, “processing” of “personal data” may only take place if there is a legal basis. The legal basis can be consent (opt-in) or a weighing of interests. If the legal basis is the weighing of interests, processing takes place without active consent. The user is merely informed and may be given the opportunity to object (opt-out) – this is not mandatory.
So when do we need consent?
The German data protection authorities have explained in an orientation guide when consent is required online. The document is long, complicated and does not result in very clear statements. In addition, the guidance was given before the Planet49 ruling. The data protection authorities may transfer the evaluations from the Cookie Directive to data protection law, so that consent is always regarded as necessary if the data processing is related to a cookie that is not “absolutely necessary”. If consent is required for a cookie, it therefore makes sense, in case of doubt, to also obtain consent for the related data processing.
For jurists: The data protection authorities judge correctly in the mentioned guidance that one should not be able to refer to the regulation in § 15 Abs. 3 TMG.
Regarding the recording and evaluation of visitor behaviour on websites (“tracking”), the line of the data protection authorities can be roughly outlined as follows:
- If data about visited pages and basic device data (e.g. resolution, operating system) are required by the site operator for e.g. page optimization, an opt-out is sufficient (no consent required). The same applies if a technical service provider is used purely as an order data processor. However, the service provider may not use the data for its own purposes (e.g. product optimisation, etc.), as various data protection authorities only confirmed in press releases in November 2019.
- Consent is required for data processing involving advertising or the optimisation of advertising campaigns (remarketing).
Outlook – or: What about the ePrivacy Regulation?
The topic of cookies should actually be regulated in an ePrivacy Regulation alongside the GDPR. Lobbying has been preventing agreement at political level in the EU (Council) for three years. An attempt by the Finns to reach an agreement by the end of 2019 is considered to have failed. An agreement in the Council is to be expected at most in 2020. This will be followed by the further legislative process (trialogue). As with the GDPR, a transitional period of two years is expected to apply, meaning the new rules will not apply until the end of 2023. The planned ePrivacy Regulation is therefore no reason to postpone the issue.