Last updated on 22 March 2021 by Robert Bateman (TermsFeed Privacy and Data Protection Research Writer)
In fact, the case has important implications for websites and apps accessible throughout the whole of the EU, plus the wider European Economic Area (EEA) and the UK. It's one of many recent decisions that reiterates long-standing cookie consent requirements.
In this article, we'll explain what happened in the German court case, why it doesn't really change the existing EU cookie consent rules, why you shouldn't be relying on "legitimate interests" for setting cookies.
The German court considered whether a website's cookie consent solution complied with Section 15 (3) of the German Telemedia Act (TMG). The TMG is Germany's implementation of the EU's ePrivacy Directive, which sets rules on cookies.
Effectively, the court had to decide which of the GDPR's legal bases for processing personal data was appropriate for website operators using cookies.
Some website operators had interpreted the wording of Section 15 (3) of the TMG as allowing the setting of cookies under the legal basis of "legitimate interests." This would have allowed them to set cookies first, and then offer users the chance to opt out.
The court ruled that all non-essential cookies require consent. The "legitimate interests" interpretation was wrong. And "consent" means an active choice on the part of the user: so opt-in, not opt-out.
The court ruled that all non-essential cookies require consent. "Consent" means an active choice on the user's part: so opt-in, not opt-out.
So what's changed following the court's decision? In the words of the court: "nichts geändert." Nothing has changed.
Since the German court's ruling, these rules have become even clearer. And yet, many websites and apps continue to ignore them.
But with data protection authorities (DPAs) across the EU clamping down on poor cookie practices, it's a good time to start paying attention to the law.
On December 10, 2020, the French DPA - the CNIL - imposed large fines on two companies who "placed advertising cookies on users' computers... without obtaining prior consent and without providing adequate information":
On January 26, 2021, the Norweigan DPA announced a fine of nearly €10 million ($12 million) against dating app Grindr, over how the app collected and shared user data without obtaining proper consent.
So, given the current legal landscape, how can you stay on the right side of EU law?
Remember that these rules apply in Germany and any other country in which the ePrivacy Directive and GDPR apply, including Iceland, Liechtenstein, Norway, and the UK.
Here are the rules on getting cookie consent in GDPR-covered countries (we'll use "the EU" as a shorthand from here on out).
If you're a non-German business, do you even need to comply with German cookie rules?
The short answer is yes: if your website is accessible in Germany, you'll need to comply with German privacy law if you're using tracking cookies on your website. The same applies across the whole of the EU.
This is because the GDPR applies "extraterritorially" to any company that
That last point applies to a lot of businesses. The European Data Protection Board (EPDB) has confirmed that "monitoring the behavior of people in the EU" includes using tracking cookies that capture the personal data of people in the EU.
Therefore, if your website or app is not compliant with EU cookie law, and a user in Germany or another EU country makes a complaint to their DPA, you'll be held accountable under EU law.
It's important to note that not all cookies require consent under the EU's rules. Here's the relevant section of the ePrivacy Directive:
The ePrivacy Directive specifies that two types of cookies are exempt from its consent requirements:
Here are some examples of these types of cookies:
In summary, cookies don't require consent if they are strictly necessary to:
Any cookies that aren't "strictly necessary" on the terms outlined above require consent. This includes all advertising and analytics cookies.
Because the rules for cookies derive from the ePrivacy Directive rather than the GDPR, it doesn't matter whether cookies collect personal data about users. The point is that cookies are stored on a user's device and that they retrieve information from the user's device.
As such, the requirement to obtain consent for cookies extends both to first and third-party cookies.
While analytics cookies may enable you to make improvements to your website, and advertising cookies may help fund your website, you'll still need to get consent for setting them on a user's device.
As we've explained, you'll need to ask your EU users to consent to most types of cookies. It's also important that you request consent in the right way.
Here's how the GDPR defines consent:
We can break this down into five key elements. A person's indication that they give their consent must be:
There's an additional requirement elsewhere in the GDPR (at Article 7). Consent must be:
The EU DPAs and courts have derived some basic rules from these principles.
The most common approach to obtaining cookie consent is to use a "cookie banner": a pop-up notification asking the user whether they consent to cookies.
Here's an example of a cookie banner that, according to the interpretation of the GDPR above, would not be valid:
This cookie banner states that the website is relying on legitimate interests for the purpose of building a profile about users' interests to show them relevant personalized ads. It invites users to "object" (opt out).
As we know, "legitimate interests" is not an appropriate legal basis for this type of activity.
Here's a perfect example of a cookies banner, from the European Central Bank:
Here's what's good about this cookies banner:
However, note that the European Central Bank only uses analytics cookies, and for limited purposes. As such, there is no need to request consent for specific types of cookies.
Here's how PD Neurotechnology offers its users the choice to opt into specific types of cookies:
The user can opt into "analytics and statistics" cookies and "marketing and retargeting" cookies. These are set to "off" by default.
The user can opt out of "strictly required cookies." Note that it isn't actually necessary to allow users to object to these types of cookies, as long as they meet the ePrivacy Directive's exemption rules.
Either way, you'll need to provide users with a notice that explains:
The types of cookies you use, including:
A list of all the specific cookies you use, including their:
Use clear and straightforward language when explaining these things to your users.
Here's an example of how to explain cookies, from Plusnet:
And here's (part of) a list of SurveyMonkey's cookies, breaking each down by cookie name, type, duration, and description:
For more information, see our article "How to Write a Cookies Policy."
Germany's court case was just one of many important decisions regarding cookie consent across the EU.
The rules have never been clearer: You must obtain consent for any cookies that are not "strictly necessary."
Consent under the GDPR must be: