The German Federal Court of Justice (BGH) ruled today (28 May 2020) that an opt-out for setting cookies is inadmissible under German law due to an interpretation of Section 15(3) of the German Telemedia Act (TMG) in conformity with the ePrivacy Directive (press release of the BGH; available only in German).
As a result, website operators can no longer rely on the fact that it would be possible to set cookies in Germany solely based on their legitimate interests. This was previously at least justifiable with reference to the earlier statements of the German supervisory authorities and the wording of the regulations in the Telemedia Act (TMG).
By now, the German association of Data Protection Authorities (DSK) in its revised decision, the European Data Protection Board (EDPB) in its advice on consent, the European Court of Justice (ECJ) in the preceding decision and now also the German Federal Court of Justice have opposed such a view. It is now necessary to obtain the consent of the website user for the setting of non-functional cookies (opt-in).
Failing to comply with these new requirements bears the risk that competitors or consumer associations may issue warnings to website operators if they continue to use the (now) illegal opt-out procedure. Furthermore, the supervisory authorities are likely to take a closer look at some websites based on this ruling, whether unsolicited or following a complaint by a data subject. In ongoing proceedings, it must be carefully reviewed whether the reasoning vis-à-vis the supervisory authority may need to be adjusted.
As the implementation of these new requirements are easily visible (and technically identifiable) on the website, incompliance bears a high risk of cease-and-desist and supervisory procedures.
The judgement of the German Federal Court of Justice follows the decision of the ECJ in this case. On 1 October 2019, the ECJ ruled that a pre-set checkbox which must be actively deselected by the user to avoid consent does not constitute valid consent (within the meaning of Art. 2(f) and 5(3) of the ePrivacy Directive as well as Art. 4(11) and 6(1)(a) of the GDPR) for setting non-functional cookies. Here you can find the previous TW Newsflash on this judgement.
The German Federal Court of Justice had submitted the questions regarding the legitimacy of the opt-out procedure to the ECJ after the previous instances had come to different conclusions, respectively.
In the first instance, the Frankfurt Regional Court, granted the motions of the Federation of German Consumer Organisations (Bundesverbands der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V., vzbv) and decided that consent as an opt-in is necessary when cookies are set.
This decision was overturned by the Higher Regional Court in Frankfurt to the effect that, due to the wording of the German Telemedia Act, consent to cookie use can also be granted as an opt-out.
The reason for the present legal dispute are contradictions between the German Telemedia Act and the ePrivacy Directive. Directives are European legal acts that must be implemented into national law by the member states.
In contrast to the ePrivacy Directive, Section 12(1) of the TMG, as the German implementation law, only covers personal data. In addition, Section 15(3) of the TMG allows service providers to create user profiles when using pseudonyms for the purposes of advertising, market research or for the needs-tailored design of the service provided the user does not object to this. Such an “opt-out” mechanism is not in line with Art. 2(f) and 5(3) of the ePrivacy Directive as well as Art. 4(11) and Art. 6(1)(a) of the GDPR, as it follows from these provisions that the user must expressly consent to cookie use (through an opt-in).
With today’s ruling, the German Federal Court of Justice has clarified that Section 15(3) of the TMG, despite its contradictory wording, must be interpreted in conformity with the Directive, resulting that the user must expressly consent to the storage of non-functional cookies (opt-in).
Today’s ruling now determines that "active" consent is required. Website operators should now check whether they still set cookies relying on the opt-out procedure. If this is the case, operators should switch the setting of cookies to the opt-in procedure, i.e. obtain consent of the website user before setting a non-functional cookie. This consent must be explicit and can be given by placing a check mark or pressing a slide switch, for instance.
In addition, website operators must inform the website user sufficiently and transparently about the circumstances of the processing. For a valid consent, it is therefore necessary that the user is going to be informed about which cookie is set for which specific purpose.