Constant cookie notices are annoying, but why are they legally necessary?
A ruling by the Federal Court of Justice (BGH) of 28.05.2020 (Case No. I ZR 7/16)[1] has led to uncertainty among website operators with regard to the use of cookies. One of the issues at stake in this concluded case was the following question: Can the defendant provider of online competitions obtain an effective declaration of consent from its users to the use of cookies for advertising by activating a checkbox in the registration form in advance?
The BGH denied this in the specific case and ruled "that the provider may only use cookies to create user profiles for advertising or market research purposes with the user's consent. The user's consent, which must be declared electronically and which allows the retrieval of information stored on their end device with the help of cookies by means of a preset checkbox, does not satisfy this consent requirement."
Website visitors must consent to the use of cookies
It is significant that the BGH referred a number of fundamental questions to the Court of Justice of the European Union (CJEU) for assessment in the course of the proceedings and then referred to the relevant opinion of the CJEU in its grounds for the judgment.
Even if the judgment itself only refers to cookies used for advertising purposes, the cited reasons for the judgment result in the interpretation shared in most commentaries: Before using any cookies that are not necessary for the provision of the desired services, effective consent must be obtained from the user by actively setting a corresponding checkbox, for example.
Matomo can also be used without cookies
An important consequence of this interpretation is that, beyond all advertising-related personalization, active user consent is also required for the use of cookies for web analysis with tools such as Google Analytics or Matomo.
A simple reference to the use of cookies to click "I agree" without an alternative is no longer sufficient. Anyone using Matomo can consider simply running the analysis without cookies at this point. Matomo is relatively easy to configure in this respect. Measured values based on the recognition of returning visitors tend to lose reliability, but are still available. Instead of cookies, anonymous "fingerprints" of users are used for recognition based on certain system properties.
For the sake of completeness, it should be mentioned that some sources assume that, legally speaking, this "fingerprinting" requires consent in the same way as the use of analysis cookies.[3] A judicial assessment of this question is still pending.
In contrast, some argue[4] that the exclusive use of technically necessary cookies and cookie-free Matomo analysis means that no cookie consent is required at all.
Effectively obtain permission if it cannot be dispensed with:
A veritable market has quickly formed around the issue of cookie consent, in which various providers offer the legally compliant processing of user information and consent, whereby the costs incurred vary greatly[5].
There is also a wide range of ready-made plugin solutions for popular platforms such as WordPress or Contao[6].
The visible result basically corresponds to the following scheme for all offers:
Method A: Pop-up with direct selection of settings
- Note text,
- visible checkboxes for the types of cookies used - for example, "Necessary" (or "Required", "Essential"), "Advertising purposes", "Statistics", with "Necessary" preselected,
- Accept selection" button,
- Accept all" button (usually highlighted),
- Links such as "Data protection", "Imprint", "Further information" etc.
Method B: Pop-up with detailed settings in the 2nd step
- Note text,
- Accept all" button,
- Button "Accept only necessary cookies" (or similar)
- Customize settings" button, which links to more or less complicated settings pages,
- Links such as "Data protection", "Imprint", "Further information" etc.
Method C: Pop-up with well-hidden detailed settings
- Note text,
- Accept all" button,
- Customize settings" button, which links to more or less complicated settings pages,
- Links such as "Data protection", "Imprint", "Further information" etc.
This is an overview of the solutions that have spread across the web. Whether each of them or one or the other is particularly suitable, whether by clicking on "Accept all" or other use, for obtaining effective consent in the light of the underlying BGH ruling would ultimately only be determined in specific legal proceedings, which are still pending.
Sources
- [1] - https://www.heise.de/ct/artikel/Cookies-nur-mit-aktiver-Einwilligung-erlaubt-4783626.html
- [2] - https://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&Datum=Aktuell&Sort=12288&nr=107623&pos=6&anz=672
- [3] - https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32002L0058&from=de
- [4] - https://usercentrics.com
- [5] - https://www.ccm19.de
- [6] - https://www.e-recht24.de/artikel/datenschutz/12119-bgh-urteil-cookies-einwilligung.html
- [7] - https://cookieinformation.com
- [8] - https://www.cookiebot.com
- [9] - https://www.content-iq.com/tracking-mit-matomo-ohne-cookies/
- [10] - https://www.it-recht-kanzlei.de/matomo-richtig-verwenden-dsgvo.html