Cross-State Review of Websites and Use of Cookies by German Supervisory Authorities
July, 2021 - Lutz Martin Keppeler, Michael Kuska, LL.M., LL.M.
In the summer/autumn of 2020, the supervisory authorities of several German states examined the websites of various media companies, particularly with a view to the use of cookies and the tracking of users for advertising purposes. According to the press releases published by the supervisory authorities involved (see the press release from the State Commissioner for Data Protection of NRW), the supervisory authorities came to the conclusion that the integrated tracking methods and the cookies used often did not meet legal requirements. The supervisory authorities take a critical view of the – allegedly – often inadequate and misleading design of the consent banners used (known as cookie banners or consent management platforms (CMPs)). No official orders, fine proceedings, court judgements or similar legally binding decisions have been issued in connection with the investigation, as far as can be seen. Even if the press releases do not go into detail on the individual points of criticism, some initial basic conclusions can be drawn.
Background
The legally compliant use of cookies and tracking tools on websites and mobile applications is still a moving target. An extensive discussion about the legal requirements was triggered by the ECJ ruling of 1 October 2019 (Case C-673/17, 'Planet 49') and the subsequent BGH [German federal court] ruling of 28 May 2020 (case no. I ZR 7/16), as well as the widespread use of CMPs since the summer of 2020 according to IAB TCF 2.0. In essence, this primarily relates to the question of what requirements must be placed around effective consent in order to track users for advertising purposes with cookies or similar methods (e. g. device fingerprinting, hereinafter collectively referred to as 'Cookies'). The lawful design of so-called cookie banners or CMPs, through which consent for the use of Cookies is obtained, is a particular focus. In addition to the aforementioned judgements of the ECJ and BGH, one reason is almost certainly also the data protection activist Max Schrems, who, with his data protection organisation NOYB, has urged a large number of companies to adjust their cookie banners in the past few months and threatened them with the supervisory authorities should they fail to do so.
Coordinated investigation by the German regulatory authorities
The investigation in question was a coordinated review of websites from a total of 49 selected media companies in Germany. As part of the investigation, the supervisory authorities involved sent questionnaires to the selected companies from August 2020 onward. Amongst other things, they were asked which Cookies and tracking tools they used and which legal basis the usage was based on. The authorities then evaluated the results. The questionnaires were extraordinarily comprehensive and included a lot of technical details. From a legal point of view, a criticism voiced by the authorities in their statement is that, although consent is often obtained for the use of Cookies via cookie banners or CMPs, in many cases, these are not effective as the authorities believe that they violate data protection requirements. The following obstacles to effectiveness were specifically mentioned:
1. Incorrect sequence: Cookies are already set before consent is given.
2. Missing information: The information about the Cookies and tools used is incomplete.
3. Insufficient scope of consent: Cookies and tools are active despite denied consent.
4. No simple rejection: There is no 'Reject all cookies' option at the first level of the cookie banner or any other simple option to close the cookie banner without granting consent.
5. User manipulation: Users are subliminally urged to give their consent, for example, by a colored highlighting of the 'Accept' button (so-called 'nudging').
Finally, the authorities also indicate that they will actively exert influence on the companies in order to establish data protection-compliant conditions; if necessary, this could also include the use of supervisory authority expertise. The prohibition of certain tracking tools or the imposition of fines cannot be ruled out here. As far as can be seen, the investigation has not yet led to any regulatory measures.
Legal classification
The use of tracking tools and Cookies is primarily subject to the Directive on Privacy and Electronic Communications (also known as the ePrivacy Directive). The corresponding regulations were implemented in Germany in accordance with the aforementioned judgement of the BGH in Germany in Section 15 (3) TMG [German Telemedia Act]. In principle, the use of Cookies requires the consent of the user. There may be an exception if the relevant Cookie is technically absolutely necessary for the provision of the website. For example, this can be the case for Cookies that are set to correct errors or to improve technical performance. If personal data are also processed using the tracking tools or Cookies (which is almost always the case, since the IP addresses that need to be sent are themselves considered to be personal), this processing requires a separate legal basis within the meaning of the General Data Protection Regulation (GDPR). Website operators must therefore check whether the Cookies and tools they use require consent pursuant to the e-Privacy Directive or Section 15 (3) TMG, as well as the GDPR, or whether another legal basis can be considered. For example, within the scope of the GDPR, data processing for advertising purposes can, in principle, also be based on a legitimate interest (Art. 6 (1) (f) GDPR).
If it is necessary to obtain consent, website operators must comply with various legal requirements to ensure that the consent is actually effective. Both the ECJ and the BGH have explicitly referred to the essential legal requirements for the use of Cookies in their decisions. In particular, this raised the point that Cookies requiring consent may only be actively used (i.e. activated) if the user has given their consent through a clear action (e.g. clicking an accept button). In turn, consent must be given on an informed basis. For example, the user must be informed of the functionality and storage duration of the Cookies. If the user refuses their consent, the Cookies must not be activated. If the user subsequently revokes their consent, the Cookies that require consent must be deactivated immediately. Against this background, the points of criticism listed by the supervisory authorities in items 1 to 3 are not surprising, and correspond to the clearly defined legal requirements.
With regard to the further points of criticism in items 4 and 5, the following should be noted:
- Reject button' at the first level: while various supervisory authorities in the EU, for example, in the UK and France, take the position that there must also be a 'Reject all cookies' button next to any 'Accept all cookies' button at the first level of a cookie banner, the German supervisory authorities and the Datenschutzkonferenz [German Data Protection Conference] have kept silent in the past with regard to this point. From the published press releases, it can be seen that the German supervisory authorities involved in the investigation are now also tending towards this point of view. It is therefore to be expected that the German authorities involved will also enforce this view against providers of telemedia in future. It should be noted, however, that this point has not yet been decided by a higher court and that not all individual supervisory authorities in the EU necessarily require a 'Reject all cookies' button at the first level. Against this background, it is advisable to keep an eye on further developments. If, on the other hand, website operators want to avoid regulatory proceedings, it is advisable to follow the opinion of the authorities involved in the investigation and to include a 'Reject all cookies' button at the first level of the cookie banner.
- Design of cookie banners and CMPs: This also applies to the graphic design of the cookie banners, and in particular, of the buttons they use. The law does not contain any explicit requirements as to the specific design of the cookie banners and the buttons they contain, so website operators generally have some leeway. In this respect, the authorities' criticism should not be generalized prematurely – especially since no specific requirements are stated in the press releases. Of course, it is possible for graphic designs to work in such a way that the user only sees the option to consent to the use of Cookies. The judgement of Rostock District Court of 15 September 2020 (case no. 3 O 762/19), as well as the orientation aid of the State Commissioner for Data Protection of Lower Saxony from the beginning of the year (see Update Data Protection No. 93), offer indications on this point. However, not every highlighting of the 'Agree' button represents user manipulation. A simple difference in the colour background of the buttons used does not necessarily lead to manipulation. Rather, the entire design of the cookie banner must be considered on a case-by-case basis.
Conclusion and recommendation
The investigation and evaluation by the authorities contain relevant information with regard to several points, while for other points, there is merely a positioning with regard to unresolved legal issues. In addition, many detailed questions remain open. In such cases, it would be desirable for the German supervisory authorities and the Datenschutzkonferenz to take a clear position. However, looking at the current status, a relevant statement from the authorities is not expected to be issued before winter 2021. Those close to the authorities say that the introduction of the new Telekommunikations-Datenschutzgesetz [German Telecommunications-Telemedia Data Protection Act (TTDSG)] is to be expected. In the meantime, it is advisable to check the legal conformity of the specific Cookies and tools used for the points stated and to determine possible scope for argumentation by means of a risk decision. This applies in particular with regard to the integration of a 'Reject all cookies' button and the different colored designs of the buttons used in the cookie banner or CMP.