Inves­ti­ga­ti­on fin­dings published: coo­kies remain a focus for the data pro­tec­tion authorities!

The data pro­tec­tion aut­ho­ri­ties in mul­ti­ple Ger­man Sta­tes laun­ched a coor­di­na­ted inves­ti­ga­ti­on in sum­mer of last year into the web­sites of some lar­ge media com­pa­nies, focu­sing on the use of coo­kies and the inte­gra­ti­on of third-party ser­vices. Seve­ral of the aut­ho­ri­ties, inclu­ding the Data Pro­tec­tion Com­mis­sio­ner for Sax­o­ny, have issued press releases announ­cing the results of this inves­ti­ga­ti­on (PDF only in German).

What have the data pro­tec­tion aut­ho­ri­ties done?

Start­ing in mid-August 2020, the aut­ho­ri­ties in the Sta­tes of Baden-Württemberg, Bran­den­burg, Bre­men, Ham­burg, Hes­sen, Lower Sax­o­ny, North Rhine-Westphalia, Rhineland-Palatinate, Saar­land, Sax­o­ny and Schleswig-Holstein sent out ques­ti­on­n­aires (only in Ger­man) see­king to coll­ect a very exten­si­ve quan­ti­ty of infor­ma­ti­on about data flows to media web­sites, natu­ral­ly accom­pa­nied by a “spe­cial note” poin­ting out the pos­si­bi­li­ty of an on-site inspec­tion fol­lo­wing the writ­ten pro­ce­du­re, in the event that the aut­ho­ri­ties find that “ambi­gui­ties” still exist. Spe­ci­fi­cal­ly, the aut­ho­ri­ties reques­ted many details about coo­kie set­tings and third-party ser­vices in their ques­ti­on­n­aire : ques­ti­ons about the lawful­ness of data pro­ces­sing, the data pro­tec­tion impact assess­ment, the imple­men­ta­ti­on of privacy-friendly default set­tings pur­su­ant to Artic­le 25 of the GDPR, etc. Our gene­ral advice to you when it comes to deal­ing with inves­ti­ga­ti­ons by the super­vi­so­ry aut­ho­ri­ties is sum­ma­ri­zed here.

What are the key findings?

In gene­ral, the aut­ho­ri­ties found that the media web­sites they loo­ked at use a very high num­ber of coo­kies and third-party ser­vices, lar­ge­ly for the pur­po­se of user track­ing and adver­ti­sing. In most cases, users were given the oppor­tu­ni­ty to con­sent spe­ci­fi­cal­ly to the use of coo­kies and third-party ser­vices. But this con­sent was inva­lid in most cases, accor­ding to the aut­ho­ri­ties, which named the fol­lo­wing spe­ci­fic defects:

  • wrong sequence of events, in that coo­kies were pla­ced befo­re con­sent was obtained;
  • users not pro­vi­ded with ade­qua­te information;
  • no easy way for users to object to user track­ing as a who­le, which requi­res the user’s consent;
  • but­tons desi­gned in such a way as to mani­pu­la­te users to issue con­sent (“nud­ging”).

What is the cur­rent legal situa­ti­on with regard to cookies?

In accordance with the case law of the Ger­man Fede­ral Court of Jus­ti­ce, in its judgment of 28 May 2020 (Case No. I ZR 7/16) (only in Ger­man),  as well as the ECJ Judgment of 1 Octo­ber 2019 in the “Planet49” case (Case No. C‑673/17)  a year befo­re, web­site ope­ra­tors requi­re the user’s free and acti­ve con­sent in order to store non-essential coo­kies and track­ing mecha­nisms in the user’s brow­ser or device. The rele­vant sta­tu­te gover­ning this con­sent requi­re­ment is § 15(3) of the Ger­man Tele­me­dia Act (only in Ger­man) in con­junc­tion with Artic­le 5(3) of the E‑Privacy Direc­ti­ve, not the GDPR. Nevert­hel­ess, the super­vi­so­ry aut­ho­ri­ties app­ly the same sub­stan­ti­ve stan­dards for con­sent and stress in the cover let­ter (only in Ger­man) to their request for infor­ma­ti­on that free and acti­ve con­sent is requi­red. Accor­din­gly, web­site ope­ra­tors can­not satis­fy the cur­rent legal requi­re­ments by mere­ly allo­wing users to opt out or inter­pre­ting con­tin­ued use of the web­site as con­sent. In addi­ti­on, the Act Regu­la­ting Data Pro­tec­tion and Pro­tec­tion of Pri­va­cy in Tele­com­mu­ni­ca­ti­ons and Tele­me­dia (only in Ger­man) takes effect on 1 Decem­ber 2021, and con­ta­ins pro­vi­si­ons of its own about the form which con­sent must take. It remains to be seen how the new pro­vi­si­ons will be imple­men­ted in practice.

Our cri­ti­cism of the aut­ho­ri­ties’ investigation

It is typi­cal­ly easy for users to see that the web­site ope­ra­tor is try­ing to obtain their lawful con­sent given the pro­mi­nent pla­ce­ment of coo­kie ban­ners, which are some­ti­mes hard to over­look. But the super­vi­so­ry aut­ho­ri­ties cite this very design of the ban­ners in online media as a defect: “mani­pu­la­ti­on of users: the design of the con­sent ban­ners dis­plays num­e­rous forms of ’nud­ging,’ mea­ning that users are sub­li­mi­nal­ly pres­su­red to con­sent e.g. by making the ‘con­sent’ but­ton a color which stands out more than the ‘refu­se’ but­ton, or by making the pro­cess of refu­sing con­sent need­less­ly com­pli­ca­ted.” The aut­ho­ri­ties’ cri­ti­cism of “nud­ging,” i.e. crea­ting an incen­ti­ve for the user to act in a cer­tain way, is too strong, in our view. Spe­ci­fi­cal­ly, they cri­ti­ci­ze nud­ging in all its forms, but neither the GDPR not the E‑Privacy Direc­ti­ve or the Ger­man Tele­me­dia Act estab­lish direct gui­de­lines in this regard or pro­hi­bit web­site ope­ra­tors from gui­ding users in any way. Con­trol­lers should of cour­se make it clear to users that they have the right to con­sent or object, but crea­ting a visu­al incen­ti­ve to do so does not neces­s­a­ri­ly con­flict with this objective.


Coo­kies and track­ing by third-party pro­vi­ders are still a cur­rent topic for super­vi­so­ry aut­ho­ri­ties pre­cis­e­ly becau­se we have yet to find a spe­ci­fic best-practice solu­ti­on which pro­vi­des the grea­test pos­si­ble bene­fit for both web­site ope­ra­tors and users. It remains to be seen whe­ther the super­vi­so­ry aut­ho­ri­ties will take their fin­dings as a reason to expand their inves­ti­ga­ti­on to other sec­tors of the com­pa­ny and to con­ti­nue to edu­ca­te the public about the use of cookies.

Should you recei­ve a let­ter from your super­vi­so­ry aut­ho­ri­ty (the aut­ho­ri­ties are now sen­ding out requests for infor­ma­ti­on rela­ting to third-country trans­fers), do not let your fear of pos­si­ble fines or pen­al­ties dri­ve you to reve­al ever­y­thing wit­hout thin­king. Ins­tead, fol­low our recom­men­da­ti­ons.

Moreo­ver, the gene­ral rule appli­es here as well: pre­ven­ti­on is bet­ter than reac­tion. Keep the docu­men­ta­ti­on of your data flows as up-to-date as pos­si­ble, in con­sul­ta­ti­on with your data pro­tec­tion offi­cer, and keep in mind what the data pro­tec­tion aut­ho­ri­ties are curr­ent­ly focu­sing on. We would be glad to help you with docu­men­ta­ti­on and posi­tio­ning yours­elf so as to con­form with data pro­tec­tion law. If a request for infor­ma­ti­on nevert­hel­ess arri­ves in your mail­box, our exten­si­ve expe­ri­ence deal­ing with super­vi­so­ry aut­ho­ri­ties places us in an ide­al posi­ti­on to effec­tively advi­se you about what steps to take next.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.