Nowadays, many websites use cookies to track user behavior or to display customized advertising. Anyone wishing to take advantage of the benefits associated with these cookies must obtain the users’ consent.
In the opinion of the German Federal Court of Justice (BGH), pre-crossed buttons on websites are not sufficient. Consent would be invalid in this case. Instead, the check must be actively set.
What are cookies?
Cookies assign individual identifiers to the users of websites. This enables these websites to recognize visitors. In many cases, however, they also evaluate user behavior. In most cases, users must agree to the use of cookies beforehand. Once consent has been given, information is stored on the user’s terminal device or their data is accessed.
Agreement must be active
According to the BGH, consent is only effective if it has been actively given by the user (so-called opt-in).
An online gambling provider had informed users about the use of cookies in a prescribed consent text. The cookies were to be used to evaluate the surfing and usage behavior of the lottery participants on websites of advertising partners by an advertising analysis service. The consent was already preset because it was marked with a tick in the corresponding field from the beginning. However, the users could remove it themselves (so-called opt-out).
ECJ interprets consent in a user-friendly way
According to the German Telemedia Act (TMG), the use of cookies to create user profiles for advertising or market research purposes is permitted if the user does not object to this. However, the basic data protection regulation requires active consent.
After initial uncertainties as to how the term consent is to be interpreted, the Federal Court of Justice (BGH) asked the European Court of Justice (ECJ) for clarification. The ECJ decided that active consent does not apply to a pre-filled checkbox, which the user must uncheck to refuse consent.
Extensive protection of privacy
The BGH also made it clear in its ruling that consent does not depend on whether the information stored and retrieved is personal data. This is because European laws protect not only personal data, but the privacy of internet users as a whole.
Threat of ineffective consent and unnecessary expenses
As a result, the gambling provider was not only ordered to refrain from this consent practice, but also had to pay the plaintiff’s dunning expenses.
This shows that a lawful implementation of cookie consent not only provides protection against subsequent adjustments and invalid consent, but also saves additional costs. Moreover, it is to be expected that supervisory authorities will take action and sanction the previous practice where consent was given by clicking “Ok” or by using pre-filled cookie banners.
Our experts will be happy to offer comprehensive advice on the use of cookies on your website.
Continue reading:
Companies May Issue Warnings of GDPR Violations in Germany
Data Protection Compliance in Germany in Three Steps