Cookies under attack – New decisions by European data protection authorities on online advertising

Since last year, there has been an increased scrutiny by data protection authorities and from consumer protection organisations regarding cookies in Germany. Alleged violations of the provisions of the Telemedia Act and the GDPR are being prosecuted. The TTDSG, which has been in force since December 2021, is likely to further encourage this. 2022 is also shaping up to be a year with a focus on data protection compliance in the Ad tech sector across Europe. Most recently, the Belgian, French and Austrian data protection authorities have caused a stir with corresponding decisions. In Germany, the regulators published a draft for guidance on the TTDSG. The ECJ will also soon rule on the active legitimacy of consumer protection organisations to asserted cookie violations.  

Current authority decisions in the EU

The use of cookies has long been the focus of privacy watchdogs in the EU. Now, there seem to be orders and fines. In a recent and highly flamboyant decision, the Belgian Data Protection Authority recently declared the so-called Transparency and Consent Framework (TCF) of the Internet Advertising Bureau Europe (IAB Europe) to be in breach of data protection and imposed a fine of 250,000 EUR. Previously, in an equally much-discussed decision, the Austrian Data Protection Authority had declared the use of Google Analytics to be in breach of data protection. In essence, this was about the protection of foreign data transfers. The French Data Protection imposed total fines of  210 million EUR for cookie violations early this year. In Germany, there is a new guidance document from the data protection authorities, as well as pending proceedings from consumer protection organisations.  

The Belgian decision on the Transparency and Consent Framework

On 2 February 2022, the Belgian Data Protection Authority - Autorité de protection des données (APD) - essentially based its decision on the following aspects: The so-called Transparency and Consent String (TC String) is a personal data. If users click on "accept all cookies" when visiting a website, the Consent Management Platform (CMP) of the IAB Europe generates the TC string in the background together with the TCF. This consists of a combination of numbers and other characters and forms the basis for the creation of individual user profiles. These TC strings are relevant to the decision-making process for ad providers and the placement of customised ads. 

Together with the IP address and the cookies set, an exact identification of the user is possible. According to the APD, IAB Europe is the controller of the processing of personal data in the form of the TC string. There is joint responsibility with the other actors (CMPs, website publishers and adtech providers) for the data processing initiated by the TCF. In both cases, IAB Europe determines the means and purposes of the processing of personal data within the TCF.

The APD also claims that IAB Europe failed to provide a legal basis for the processing of the TC string. Thus, there was an insufficient legal basis for the subsequent processing by adtech providers. In addition, there were violations of the transparency requirements under Articles 12, 13 and 14 of the GDPR. The APD pointed out the following aspects in particular:

• Some of the processing purposes mentioned in the TCF are too general and vague to adequately inform data subjects about the exact scope and nature of the processing of their personal data (cf. 470).
• With regard to CMPs, the interface offered to users does not allow them to easily and clearly identify the processing purposes associated with the authorisation of a particular provider (cf. 471).
• Finally, the large number of third parties, i.e. adtech providers, who will potentially receive and process users' personal data is neither compatible with the requirements of sufficiently informed consent, nor with the wider transparency obligation of the GDPR (cf. 472).

The advertising association IAB Europe has two months to present a proposal to address these issues. In total, there are six months to remedy the deficiencies. IAB Europe essentially disagrees with APD's findings and has announced its intention to have the decision reviewed by the courts. In particular, IAB Europe denies being a data controller in the context of the TCF. The decision is also criticised in Germany. It is rightly criticised that there is a high degree of legal uncertainty for all providers of digital content. The unilateral decision puts almost all digital data processing for the financing of digital offers in question. The decision has far-reaching consequences for the entire e-commerce industry and affects many website operators and advertisers. 

The Austrian decision on Google Analytics

The Austrian Data Protection Authority (dsb) ruled on 22 December 2021 that the measures taken - in addition to the standard contractual clauses concluded - within the framework of Google Analytics (of a technical and organisational nature) were not sufficient to prevent or limit the possibility of access by US authorities. This is the first decision on the procedures of the organisation "None of Your Business" (NOYB) - founded by Max Schrems. The organisation NOYB has filed 101 pattern complaints across Europe. The complaints refer to the "Schrems II" decision of the European Court of Justice (judgment of 16 July 2020, Case C-311/18), which declared the EU-US Privacy Shield agreement invalid and called for an addition to the standard contractual clauses. Here, too, however, a service for measuring website behaviour and thus cookies were at the forefront of the discussion. 

The French decision on cookie banners

On 6 January 2022, the French Data Protection Authority - Commission Nationale de l'Informatique et des Libertés (CNIL) - imposed official orders and fines of  150 million EUR on Google (90 million on Google LLC and 60 million on Google Ireland Ltd) and 60 million EUR on Facebook for cookie violations. In the three proceedings, the CNIL criticised the complicated design of the option to reject cookies compared to the one-click system for allowing cookies. The rejection of cookies has to be as easy for users as the setting of cookies. It affects the user's freedom of choice if several clicks are required to reject all cookies. In this case, there is no "voluntary" consent to the setting of cookies. It remains to be seen to what extent these decisions will have a signal effect on the other European member states. 

Developments in Germany

In Germany, the data protection authorities have been active since mid-2021 through audits by means of questionnaire campaigns. In a first step, they have mostly checked the compatibility of the transparency requirements according to the General Data Protection Regulation (GDPR) for so-called cookie banners of website providers by means of mass letters. In addition, consumer protection organisations have also become active. According to a press release by the Federation of German Consumer Organisations (VZBV), since September 2021, apparently more than 100 companies have been warned by means of corresponding letters for violations of the provisions of the German Telemedia Act (TMG) with regard to the consent to be obtained via cookie banners. Although they base their claims on the market conduct provisions in the TMG, they focus on the effectiveness of the consent according to the provisions of the GDPR. The ECJ must decide whether the consumer protection organisations are legitimised to take such action alongside the data protection authorities. In the "Meta Platforms Ireland" case (C-319/20), the question is whether consumer protection organisations have the power to prosecute breaches of data protection law or whether the GDPR conclusively regulates supervision by data protection authorities. This question has been referred to the ECJ by the Federal Court of Justice ("App-Zentrum" - I ZR 186/17). The Opinion of the Advocate General of the ECJ has been available since 2 December 2021. After that, consumer protection organisations are empowered to prosecute violations of data protection law. If the ECJ follows this view, this would mean even more momentum for consumer protection organisations. Apart from that, the consumer protection organisations' warnings will probably soon be followed by judgments. It is unlikely that all companies will issue the desired cease-and-desist declarations without a fight. Therefore, when an ECJ ruling on the one hand and district court rulings on cookies on the other are made public, there could be a wave of warning letters in the course of the year with regard to cookie banners or the use of so-called tracking tools.   

The TTDSG: All new, same old? 

The data protection regulations of the Telemedia Act (TMG) were replaced by the new Telecommunications Telemedia Data Protection Act (TTDSG) on 1 December 2021. Among other things, it is intended to give users more control over personal data collected online and entails new risks of fines for companies. The TTDSG combines regulations on telecommunications data protection and other requirements for internet services that were previously scattered in the GDPR, the TMG and the German Telecommunications Act. With regard to cookies, section 25 of the TTDSG implements the requirements of the still valid Article 5 (3) of the ePrivacy Directive with a delay of approximately 15 years. There, it is now clarified that the consent of users is required if companies access their end devices with cookies. This is not necessary for "absolutely essential" cookies. Unfortunately, the legislator does not specify when a cookie is "absolutely essential". This legal uncertainty could mean further fuel for disputes. The joint German data protection authorities have already expressed their views on the TTDSG in a draft guidance document. Accordingly, the absolute necessity of storage and readout processes must be examined in relation to the specific telemedia service desired by the end user in order to determine whether the exception applies. In accordance with the purpose of the standard, this requires a differentiated consideration of the website or app. Therefore, the basic service, for example, is generally regarded as the telemedia service desired by the user as soon as the user deliberately calls up a service. This does not automatically include all additional functions of the basic service, but rather depends on the individual case, from the perspective of users with an average understanding. There is a strict understanding of "absolutely essential". In this context, the time of storage (when?) and the duration of the cookie (how long?), the content of the cookie (what?), as well as the setting domain of a cookie, which decides who can read the information (for whom?), must always be taken into consideration. Any access to the terminal equipment as well as information must be reduced to the necessary minimum in terms of all dimensions in accordance with the norm. Further details on the TTDSG.

Outlook: The ePrivacy Regulation as a rescue?

Particularly problematic in this respect is that there are still no uniform EU-wide regulations for the Ad tech sector, i.e. the online advertising industry. Insofar as the ePrivacy Regulation is adopted this year, a clear policy line could emerge across the EU in the future. The first draft of the ePrivacy Regulation dates back to January 2017 and should enter into force together with the GDPR in May 2018. Negotiations on the ePrivacy Regulation were difficult. The EU Council of Ministers agreed on a version of the regulation on 10 February 2021. This marked the beginning of the so-called trilogue, the informal negotiations between representatives of the EU Commission, the Parliament and the Council of Ministers. The current draft will probably have to be discussed extensively in the trilogue. There was clear criticism from the European Data Protection Board (EDSA) in its statement 03/2021 of 9 March 2021. The EDSA criticises, among other things, that cookie walls are not compatible with the provisions of the GDPR applicable in the context of consent. The exception for cookies for range measurement is too wide. A tough trilogue is to be expected. An entry into force before 2023 cannot be expected without further ado. This would mean that the regulation would apply starting in 2025, because the draft currently provides for a transition period of 24 months. Further background on the ePrivacy Regulation. An online commentary on each of the provisions of the ePrivacy Regulaion can be found here. 

In our Data Date podcast episode on technology topics, you will find an overview on topics around cookies and further information on data protection aspects.