Cookie Consent Requirements in Germany

Germany's Federal Court of Justice made a significant privacy ruling on May 28, 2020. If your website or app is accessible in Germany, this case has important implications for how you use cookies.

In fact, the case has important implications for websites and apps accessible throughout the whole of the EU, plus the wider European Economic Area (EEA) and the UK. It's one of many recent decisions that reiterates long-standing cookie consent requirements.

In this article, we'll explain what happened in the German court case, why it doesn't really change the existing EU cookie consent rules, why you shouldn't be relying on "legitimate interests" for setting cookies.

What Happened?

The German court considered whether a website's cookie consent solution complied with Section 15 (3) of the German Telemedia Act (TMG). The TMG is Germany's implementation of the EU's ePrivacy Directive, which sets rules on cookies.

Effectively, the court had to decide which of the GDPR's legal bases for processing personal data was appropriate for website operators using cookies.

Some website operators had interpreted the wording of Section 15 (3) of the TMG as allowing the setting of cookies under the legal basis of "legitimate interests." This would have allowed them to set cookies first, and then offer users the chance to opt out.

The court ruled that all non-essential cookies require consent. The "legitimate interests" interpretation was wrong. And "consent" means an active choice on the part of the user: so opt-in, not opt-out.

What Has Changed?

The court ruled that all non-essential cookies require consent. "Consent" means an active choice on the user's part: so opt-in, not opt-out.

So what's changed following the court's decision? In the words of the court: "nichts geändert." Nothing has changed.

• Non-essential cookies have required consent since the ePrivacy Directive came into effect in 2002
• Consent has been indicated by a "clear, affirmative action" (opt-in) since the General Data Protection Regulation (GDPR) came into effect in 2018

Since the German court's ruling, these rules have become even clearer. And yet, many websites and apps continue to ignore them.

But with data protection authorities (DPAs) across the EU clamping down on poor cookie practices, it's a good time to start paying attention to the law.

Other Recent Cookie Decisions

On December 10, 2020, the French DPA - the CNIL - imposed large fines on two companies who "placed advertising cookies on users' computers... without obtaining prior consent and without providing adequate information":

• Google received two penalties totaling €100 million ($121.3 million)
• Amazon received a €35 million ($42.4 million) penalty

On January 26, 2021, the Norweigan DPA announced a fine of nearly €10 million ($12 million) against dating app Grindr, over how the app collected and shared user data without obtaining proper consent.

While mobile apps don't normally use cookies per se, they can still collect data from the user's device, and so they fall under the same rules.

Cookie Consent Requirements in Germany (and the Rest of the EEA/UK)

So, given the current legal landscape, how can you stay on the right side of EU law?

Remember that these rules apply in Germany and any other country in which the ePrivacy Directive and GDPR apply, including Iceland, Liechtenstein, Norway, and the UK.

Here are the rules on getting cookie consent in GDPR-covered countries (we'll use "the EU" as a shorthand from here on out).

Do EU Cookie Consent Rules Apply to You?

If you're a non-German business, do you even need to comply with German cookie rules?

The short answer is yes: if your website is accessible in Germany, you'll need to comply with German privacy law if you're using tracking cookies on your website. The same applies across the whole of the EU.

This is because the GDPR applies "extraterritorially" to any company that

1. Is established in the EU (e.g. has an office or employee based in an EU country), or
2. Offers goods and services to people in the EU, or
3. Monitors the behavior of people in the EU

That last point applies to a lot of businesses. The European Data Protection Board (EPDB) has confirmed that "monitoring the behavior of people in the EU" includes using tracking cookies that capture the personal data of people in the EU.

Therefore, if your website or app is not compliant with EU cookie law, and a user in Germany or another EU country makes a complaint to their DPA, you'll be held accountable under EU law.

Cookies that Don't Require Consent

It's important to note that not all cookies require consent under the EU's rules. Here's the relevant section of the ePrivacy Directive:

The ePrivacy Directive specifies that two types of cookies are exempt from its consent requirements:

• Cookies used "for the sole purpose of carrying out the transmission of a communication over an electronic communications network"
• Cookies that are "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide the service"

Here are some examples of these types of cookies:

• Load-balancing session cookies
• Cookies used to remember shopping cart contents
• Cookies used to authenticate users
• Certain session cookies used for security purposes
• Cookies used to save a user's position on a media file
• UI customization cookies
• Social media cookies that enable logged-in users to share website content

In summary, cookies don't require consent if they are strictly necessary to:

• Enable your site to function
• Provide a service requested by the user

Cookies that Require Consent

Any cookies that aren't "strictly necessary" on the terms outlined above require consent. This includes all advertising and analytics cookies.

Because the rules for cookies derive from the ePrivacy Directive rather than the GDPR, it doesn't matter whether cookies collect personal data about users. The point is that cookies are stored on a user's device and that they retrieve information from the user's device.

As such, the requirement to obtain consent for cookies extends both to first and third-party cookies.

While analytics cookies may enable you to make improvements to your website, and advertising cookies may help fund your website, you'll still need to get consent for setting them on a user's device.

How to Get Cookie Consent

As we've explained, you'll need to ask your EU users to consent to most types of cookies. It's also important that you request consent in the right way.

Here's how the GDPR defines consent:

We can break this down into five key elements. A person's indication that they give their consent must be:

• Freely given
• Specific
• Informed
• Unambiguous
• Given via a clear, affirmative action

There's an additional requirement elsewhere in the GDPR (at Article 7). Consent must be:

• Easy to withdraw

The EU DPAs and courts have derived some basic rules from these principles.

• Don't use pre-ticked boxes, which cannot determine whether consent is "unambiguous" or given via a "clear affirmative action." This rule was confirmed in the Planet49 case before the Court of Justice of the European Union (CJEU).
• Don't use a "cookie wall." A cookie wall prohibits users from accessing your site (or other services) unless they consent to cookies. Consent earned in this way is not "freely given."
• Don't set cookies until the user has consented. The CNIL issued its fines against Amazon and Google partly because the companies placed cookies on users' devices before obtaining consent.
• Present your Cookies Policy or Privacy Policy when (or before) you request consent. This helps ensure consent is "informed."
• Allow users to consent separately to different types of cookies (without making your consent request burdensome). This helps ensure consent is "specific."

Creating a Valid Cookie Banner

The most common approach to obtaining cookie consent is to use a "cookie banner": a pop-up notification asking the user whether they consent to cookies.

Here's an example of a cookie banner that, according to the interpretation of the GDPR above, would not be valid:

This cookie banner states that the website is relying on legitimate interests for the purpose of building a profile about users' interests to show them relevant personalized ads. It invites users to "object" (opt out).

As we know, "legitimate interests" is not an appropriate legal basis for this type of activity.

Here's a perfect example of a cookies banner, from the European Central Bank:

Here's what's good about this cookies banner:

• It doesn't prohibit access to the website. You can ignore it and will not have cookies stored on your device.
• It offers two clear choices: "Accept" or "Reject."
• It provides a brief explanation of what cookies are, together with a link to further information.

However, note that the European Central Bank only uses analytics cookies, and for limited purposes. As such, there is no need to request consent for specific types of cookies.

Here's how PD Neurotechnology offers its users the choice to opt into specific types of cookies:

The user can opt into "analytics and statistics" cookies and "marketing and retargeting" cookies. These are set to "off" by default.

The user can opt out of "strictly required cookies." Note that it isn't actually necessary to allow users to object to these types of cookies, as long as they meet the ePrivacy Directive's exemption rules.

Having a Cookies Policy

For consent to be "informed," you need to provide users with the necessary information to help them understand cookies. This can be a section in your Privacy Policy, or it might be a standalone Cookies Policy.

Either way, you'll need to provide users with a notice that explains:

• What cookies are
• The purposes for which you use cookies

• The types of cookies you use, including:

  • An overview of the different types of cookies you use

  • A list of all the specific cookies you use, including their:

    • Name
    • Purpose
    • Duration
    • Vendor (in the case of third party cookies)
• How users can manage your use of cookies

Use clear and straightforward language when explaining these things to your users.

Here's an example of how to explain cookies, from Plusnet:

And here's (part of) a list of SurveyMonkey's cookies, breaking each down by cookie name, type, duration, and description:

For more information, see our article "How to Write a Cookies Policy."

Summary

Germany's court case was just one of many important decisions regarding cookie consent across the EU.

The rules have never been clearer: You must obtain consent for any cookies that are not "strictly necessary."

Consent under the GDPR must be:

• Freely given
• Specific
• Informed
• Unambiguous
• Given via a clear, affirmative action
• Easy to withdraw

This means:

• Get opt-in consent before setting non-essential cookies
• Don't use a "cookie wall"
• Create a Cookies Policy and present it whenever requesting cookie consent