Search for:
Cybersecurity, Data and Tech

Germany: The decision of the German Federal Court of Justice on cookie consent – and further implications

By , and 7 Mins Read

In brief

On May 28, 2020 the German Federal Court of Justice (Bundesgerichtshof, “BGH”) decided on the “Planet49” case regarding cookies (see decision in German here, reference number I ZR 7/16). The decision follows upon the ruling of the Court of Justice of the European Union (“CJEU”) of October 1, 2019 (see our publication regarding that ruling). On July 6, 2020 the reasons of the BGH decision have been published and we have summarized those in this client alert.

Contents

  1. Cookies
    1. Wording of Section 15 para. 3 TMA only requires right to object
    2. Art. 5 para. 3 ePrivacy Directive – Consent requires active behaviour
    3. BGH: Interpretation of Section 15 para. 3 TMA in conformity with the ePrivacy Directive
    4. Open issues
  2. Consent into direct marketing activities
    1. Consent under the German Unfair Competition Act is subject to GDPR requirements
    2. Consent must be specific
    3. Outlook

Companies using cookies on their websites should review their cookie banners and cookie notices in light of this very recent BGH decision. In addition to the statements relating to cookies, the BGH made further statements that are relevant to advertising companies.

Cookies

In line with the CJEU, the BGH held that a pre-ticked checkbox does not comply with the consent requirements under GDPR. Ultimately, this is not surprising from an EU law perspective and regarding the result, but the conclusion drawn by the BGH required some justification efforts in Germany due to the still applicable Section 15 para. 3 of the German Telemedia Act (“TMA”).

Wording of Section 15 para. 3 TMA only requires right to object

Pursuant to the black letter wording of Section 15 para. 3 TMA, a service provider (e.g. a provider of a website or app) is allowed to create pseudonymized user profiles for the purposes of advertising, market research or needs-based design of telemedia, provided that the user has been informed of its right to object and has not objected to that processing. In the past, this provision was commonly also relied upon for the creation of pseudonymized user profiles through the use of cookies. Pursuant to the black letter wording of Section 15 para. 3, sentence 1 TMA, a right to object / opt-out (as opposed to consent / opt-in) is sufficient for the creation of pseudonymized user profiles through cookies.

Art. 5 para. 3 ePrivacy Directive – Consent requires active behaviour

However, Art. 5 para. 3 of the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC) requires that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent (…).” This is the legal basis under EU law of the well-known cookie consent requirement. The conditions for such a consent (opt-in) were determined by the CJEU in the preceding preliminary ruling. According to the CJEU consent requires an active behaviour of the user (see our publication on the CJEU decision).

BGH: Interpretation of Section 15 para. 3 TMA in conformity with the ePrivacy Directive

The BGH did not follow the view of the German data protection authorities (Data Protection Conference) that Section 15 para. 3 TMA shall be superseded by the GDPR and therefore no longer applicable. Rather, the BGH concluded that Section 15 para. 3 TMA continues to apply.

The BGH ruled that Section 15 para. 3, sentence 1 TMA must be interpreted in light of and in conformity with Art. 5 para. 3 of the ePrivacy Directive as meaning that the use of cookies for creating user profiles for the purposes of advertising or market research requires the user’s consent. Following the decision of the CJEU, the BGH further ruled that the user’s consent cannot be obtained by way of a pre-ticked checkbox which the user can uncheck.

The BGH’s interpretation of Section 15 para. 3 TMA is, strictly speaking, contrary to its black letter wording. However, according to the BGH, an interpretation in conformity with the ePrivacy Directive is still compatible with the wording. The BGH argues that the interpretation in conformity with the ePrivacy Directive requires more than an interpretation of the black letter law – where necessary and possible, a teleological interpretation / teleological reduction.

Open issues

The BGH decision – similar to the CJEU decision – has brought some clarity, but several points on cookies and similar technologies remain unsolved, e.g.:

  • What does the wording of a cookie consent text need to look like in practice?
  • How detailed does the consent text have to be?
  • What are the requirements for so-called cookie walls considering that consent must be freely given (e.g. “paying with personal data”)?

Consent into direct marketing activities

The BGH decision provides further interesting statements as regards consent into direct marketing activities. By way of background, the consent wording for direct marketing at stake was accompanied by an unticked checkbox and referred to another website on which the advertising companies (57 in total) including their respective areas of business operations and envisaged marketing communication channels where listed. The user could deselect individual companies and was informed that the website provider is entitled, at its own discretion, to select 30 companies max., if the user does not make a choice on the advertising companies.

Consent under the German Unfair Competition Act is subject to GDPR requirements

The BGH clarified that consent for direct marketing activities as required by the German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb) must comply with the consent requirements of the GDPR.

Consent must be specific

The BGH ruled that consent wording for direct marketing activities must be specific, both under the laws prior to GDPR as well as under the GDPR. In particular, it must be clear what type of products or services of which companies are covered by the consent. The overall design of the consent containing a link to another website that lists the companies that shall be authorized to do marketing, including their areas of business operations, must not be complex and misleading so that the consumer is prevented from a practical perspective from taking note of the information on that linked website. Such a consent does not constitute a valid consent into direct marketing activities.

Outlook

In its decision the BGH did not criticize the following aspects of the marketing consent in question. Thus, it can be assumed that such aspects do not give cause for any legal issues:

  • The consent wording itself did not state the companies that shall be authorized to do marketing by name. The consent wording merely referred to another website on which the various companies that shall be authorized to do marketing, including their business addresses and description of the areas of business operations, are listed (“layered approach”).
  • One consent (i.e. one checkbox) covering marketing via postal mail, telephone, e-mail and / or SMS. This may be understood in the sense that the consent wording does not have to give the user a choice between the various communication channels.
  • The subject of the promotional offers has not been further specified in the consent wording; the consent in question only referred to “offers relating to their respective area of business operations”. Further specifications on the business operations were available on the linked website.

Click here to access the German version.

Categories:
Author

Julia Kaufmann is a partner in the Munich office of Baker McKenzie. She has been admitted in Germany since 2006 and in New York, USA, since 2009. In addition to her studies in Germany, Julia obtained her Master of Laws degree at the University of Texas at Austin, USA.

Author

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie since June 2011 and was admitted as an attorney to the German bar shortly after. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation. In 2017/2018, Michaela received several recommendations for data protection law in kanzleimonitor.de.

Related Posts