Even before the General Data Protection Regulation (GDPR) came into force, there were discussions as to whether the use of tracking cookies, which make it possible to analyze the usage and browsing behavior of a user on the Internet and use it for interest-based advertising, requires prior consent (opt-in) of the user or whether a dissent solution (opt-out) is sufficient. The German data protection authorities are of the opinion that users must give their consent. In a case pending before the European Court of Justice (Case C-673/17), the Advocate General now confirms this view in his Opinion, published on March 21, 2019. Although the Advocate General's Opinion is not binding on the ECJ, the latter often agrees with the Advocate General. In this respect, his Opinion is of considerable importance.
In Germany, Sec. 15 (3) German Telemedia Act (TMG) so far stipulates that service providers may create usage profiles using pseudonyms for the purpose of advertising, market research or to customize their offer if the user does not object. Even before the GDPR entered into force, this regulation was criticized on the grounds that it did not comply with the European requirements of the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). The European ePrivacy Regulation which was originally intended to apply in conjunction with the GDPR as of May 25, 2018, should provide clarity but has not yet entered into force.
In April 2018, the German data protection authorities in a joint statement with reference to the European understanding of law pointed out that as of the applicability of the GDPR on May 25, 2018, the special provision of Sec. 15 TMG is no longer applicable and the use of tracking mechanisms on the Internet and the creation of user profiles requires the prior consent of the user.
The ECJ will decide on the issue in the near future and there is much to be said for following the Advocate General's and the German data protection authorities’ opinion and rejecting the opt-out solution.
OPT-OUT SOLUTION BEFORE THE ECJ
The proceedings before the European Court of Justice are based on a submission by the Federal Court of Justice (BGH). In the underlying case, the operator of a sweepstakes website was granted the right to place cookies in the user's browser through an already pre-ticked checkbox, which enabled an evaluation of the user's surfing and usage behavior and thus interest-based advertising. To prevent this, the user had to deselect the pre-ticked checkbox.
In his Opinion, the Advocate General considers that this opt-out solution is inadmissible. It does neither meet the requirements of the ePrivacy and Cookie Directive, which is applicable until the ePrivacy Regulation comes into force, nor the requirements of the GDPR, which has been applicable since May 25, 2018. Rather, the use of tracking cookies requires explicit consent, which must comply with the requirements of the GDPR.
REQUIREMENTS FOR EFFECTIVE CONSENT (OPT-IN)
An active action by checking a box or clicking a button is required for effective consent under the GDPR. Furthermore, the consent must be issued separately. According to the Advocate General, this can only be achieved if it is not given together with other declarations. Consent must be voluntary and not subject to inadmissible coupling. Furthermore the user has to be informed in advance. The information must be clear and comprehensive and should, inter alia, also provide information about the operational period of the cookie and the question of whether third parties can access the cookie.
If the European Court of Justice agrees with the Advocate General, the German courts will follow this case-law in the future. However, it is already now advisable for website operators - also with regard to the corresponding opinion of the German data protection authorities - to check their cookie consents to see whether the requirements of the GDPR are met or whether a revision is required.
- IT Outsourcing by Banks and Insurers Facilitated by Revised Regulations
- Reading the Tea Leaves for 2020
- Federal Council Considers Introduction of Cyber Incident Reporting Duty
- CCPA: The 1st Major American Foray into Comprehensive Data Privacy Regulation
WSG Member: Please login to add your comment.