Website maintenance

Why the annoying cookie notices?


Picture of a beautifully tidy garden

Constant cookie notices are annoying, but why are they legally necessary?

A ruling of the Federal Court of Justice (BGH) of 28.05.2020 (Case No. I ZR 7/16)[1] has led to uncertainty among website operators with regard to the use of cookies. Among other things, this concluded case dealt with the following question: Can the defendant provider of online sweepstakes obtain an effective declaration of consent from its users for the use of cookies for advertising by activating a checkbox in the registration form in advance?

The BGH denied this in the specific case and ruled "that the provider may only use cookies to create user profiles for the purposes of advertising or market research with the consent of the user. An electronically declared consent of the user, which allows the retrieval of information stored on his terminal device by means of cookies by way of a pre-set checkbox, does not satisfy this consent requirement."

Website visitors must agree to the use of cookies

It is significant that in the course of the proceedings, the BGH submitted a number of fundamental questions to the Court of Justice of the European Union (CJEU) for assessment and then referred to the CJEU's opinion in this regard in its reasons for the judgement.

Even if the ruling itself only refers to cookies used for advertising purposes, the reasons for the ruling cited result in the interpretation shared by most commentaries: Before using any cookies that are not necessary to provide the desired services, the user must obtain effective consent by actively setting a corresponding checkbox, for example.

Matomo can also be used without cookies

An important consequence of this interpretation is that beyond all advertising-related personalisation, the use of cookies for web analysis with tools such as Google Analytics or Matomo thus also requires the active consent of the user.
A simple reference to the use of cookies to click away without alternative via "I agree" is no longer sufficient. Those who use Matomo can consider simply running the analysis without cookies. Matomo can be configured relatively easily in this respect. Measured values based on the recognition of returning visitors tend to lose reliability, but are still available. Instead of cookies, anonymous "fingerprints" of users based on certain system properties are used for recognition.

For the sake of completeness, it should be mentioned that individual sources assume that, legally speaking, this "fingerprinting" is just as subject to consent as the use of analytics cookies.[3] A judicial assessment of this question is still pending.

In contrast, there are various opinions[4] that the exclusive use of technically necessary cookies and cookie-free Matomo analysis can completely dispense with any cookie consent.

Effectively obtain permission if it cannot be waived:

A real market has quickly developed around the issue of cookie consent, in which various providers offer legally compliant processing of user information and consent, whereby the costs incurred differ greatly[5].
There is also a wide range of ready-made plug-in solutions for popular platforms such as WordPress or Contao[6].

The visible result basically corresponds to the following scheme for all offers:

Method A: Pop-UP with a direct selection of settings

  • Note text,
  • visible checkboxes for the types of cookies used - For example, "Necessary" (or "Required", "Essential), "Advertising purposes", "Statistics", with "Necessary" preselected,
  • Accept selection" button
  • Accept All" button (usually visually highlighted),
  • Links such as "data protection", "imprint", "further information" etc.

Method B: Pop-up with detailed settings in the 2nd step

  • Note text,
  • Accept all" button
  • Button "Accept only necessary cookies" (or analogously)
  • Customise settings" button, which refers to more or less complicated settings pages,
  • Links such as "data protection", "imprint", "further information" etc.

Method C: Pop-up with well-hidden detailed settings

  • Note text,
  • Accept all" button
  • Customise settings" button, which refers to more or less complicated settings pages,
  • Links such as "data protection", "imprint", "further information" etc.

This is an overview of the solutions that have proliferated on the net. Whether each of them, or one or the other, is particularly suitable, whether by clicking on "Accept all" or other use, for obtaining effective consents in the light of the underlying BGH ruling, would ultimately only be proven in concrete legal proceedings, which are still pending.


See also