Investigation findings published: cookies remain a focus for the data protection authorities!
What have the data protection authorities done?
Starting in mid-August 2020, the authorities in the States of Baden-Württemberg, Brandenburg, Bremen, Hamburg, Hessen, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, Saxony and Schleswig-Holstein sent out questionnaires (only in German) seeking to collect a very extensive quantity of information about data flows to media websites, naturally accompanied by a "special note" pointing out the possibility of an on-site inspection following the written procedure, in the event that the authorities find that "ambiguities" still exist. Specifically, the authorities requested many details about cookie settings and third-party services in their questionnaire : questions about the lawfulness of data processing, the data protection impact assessment, the implementation of privacy-friendly default settings pursuant to Article 25 of the GDPR, etc. Our general advice to you when it comes to dealing with investigations by the supervisory authorities is summarized here.
What are the key findings?
- wrong sequence of events, in that cookies were placed before consent was obtained;
- users not provided with adequate information;
- no easy way for users to object to user tracking as a whole, which requires the user's consent;
- buttons designed in such a way as to manipulate users to issue consent ("nudging").
What is the current legal situation with regard to cookies?
In accordance with the case law of the German Federal Court of Justice, in its judgment of 28 May 2020 (Case No. I ZR 7/16) (only in German), as well as the ECJ Judgment of 1 October 2019 in the "Planet49" case (Case No. C-673/17) a year before, website operators require the user's free and active consent in order to store non-essential cookies and tracking mechanisms in the user's browser or device. The relevant statute governing this consent requirement is § 15(3) of the German Telemedia Act (only in German) in conjunction with Article 5(3) of the E-Privacy Directive, not the GDPR. Nevertheless, the supervisory authorities apply the same substantive standards for consent and stress in the cover letter (only in German) to their request for information that free and active consent is required. Accordingly, website operators cannot satisfy the current legal requirements by merely allowing users to opt out or interpreting continued use of the website as consent. In addition, the Act Regulating Data Protection and Protection of Privacy in Telecommunications and Telemedia (only in German) takes effect on 1 December 2021, and contains provisions of its own about the form which consent must take. It remains to be seen how the new provisions will be implemented in practice.
Our criticism of the authorities' investigation
It is typically easy for users to see that the website operator is trying to obtain their lawful consent given the prominent placement of cookie banners, which are sometimes hard to overlook. But the supervisory authorities cite this very design of the banners in online media as a defect: "manipulation of users: the design of the consent banners displays numerous forms of 'nudging,' meaning that users are subliminally pressured to consent e.g. by making the 'consent' button a color which stands out more than the 'refuse' button, or by making the process of refusing consent needlessly complicated." The authorities' criticism of "nudging," i.e. creating an incentive for the user to act in a certain way, is too strong, in our view. Specifically, they criticize nudging in all its forms, but neither the GDPR not the E-Privacy Directive or the German Telemedia Act establish direct guidelines in this regard or prohibit website operators from guiding users in any way. Controllers should of course make it clear to users that they have the right to consent or object, but creating a visual incentive to do so does not necessarily conflict with this objective.
Should you receive a letter from your supervisory authority (the authorities are now sending out requests for information relating to third-country transfers), do not let your fear of possible fines or penalties drive you to reveal everything without thinking. Instead, follow our recommendations.
Moreover, the general rule applies here as well: prevention is better than reaction. Keep the documentation of your data flows as up-to-date as possible, in consultation with your data protection officer, and keep in mind what the data protection authorities are currently focusing on. We would be glad to help you with documentation and positioning yourself so as to conform with data protection law. If a request for information nevertheless arrives in your mailbox, our extensive experience dealing with supervisory authorities places us in an ideal position to effectively advise you about what steps to take next.