Cookie banners – an evergreen issue in data protection
Cookie banners are omnipresent on the internet: almost every website asks its visitors for consent for the use of tracking cookies and the processing of personal user data for advertising purposes. The GDPR and TTDSG place stringent requirements on this consent. Due to their prevalence and relevance under data protection law, it is therefore not surprising that cookie banners are regularly the focus of the supervisory authorities. For example, the cross-border and coordinated audit of websites publishers with large reach two years ago.
A recurring topic is the compliant design of cookie banners, because this influences whether consent is legally correctly obtained or not. In particular, it is examined whether the cookie banner allows the visitor to make an informed and voluntary decision regarding the setting of cookies or the processing of their data. The supervisory authorities shared guidelines. Only recently, the German Data Protection Conference concretised these requirements in the updated orientation guide for telemedia providers.
Munich Regional Court I: No valid consents via the cookie banner on „Focus Online“
The recent, as yet unpublished judgement of the Munich Regional Court I (Case No. 33 O 14776/19) against the operator of Focus Online shows what a cookie banner should not look like. The case was brought by the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband), which has also filed a case against four other publishing houses.
In its decision, the Regional Court of Munich I states that the cookie banner on Focus Online used at the time the action was filed in 2019 was not suitable for obtaining informed and voluntary consent from users. The two main points of criticism:
- too much (!) information: The judgment contains 141 (!) pages with screenshots of the cookie banners at the relevant time in 2019. In the court’s view, such a large amount of information cannot reasonably be grasped by an average visitor.
- Effort of refusal too high (no “refuse all” button): The operator had defended itself by saying that the law does not explicitly provide that visitors can already refuse all data processing with one click on the first level of a cookie banner and would instead have become accustomed to the “two-level” nature of banners. The court ruled that in the case of the banner on Focus-Online, it took too much of the visitor’s time to refuse consent.
Not an appeal of “legitimate interests” for analysis and advertising purposes
Furthermore, the Munich Regional Court commented on the question of whether the tracking of user behaviour for analysis and advertising purposes can (alternatively) be based on legitimate interests – and thus no consent is required at all. However, the court rejected this. The financing interest of journalistic content, as presented by the operator, is not sufficient for this.
Likewise, the court ruled that the cookies used for such tracking cannot be classified as “strictly necessary” for the operation of the website – they therefore require consent.
Impact of the ruling: Cookie banner on Focus Online based on TCF standard
Finally, it should be mentioned that the cookie banner of Focus Online is based on the widely used Transparency and Consent Framework (TCF) of the industry organisation IAB Europe. This had been declared inadmissible by the responsible Belgian data protection authority.
One characteristic of the TCF is that with one click, a visitor’s consent is collected for dozens or sometimes more than a hundred advertising service providers (vendors)- which probably also explains in this ruling why the cookie banner of Focus Online had such a large volume of information. However, this is exactly what the court defined problematic.
Outlook
It is fundamental for a designing a legally compliant cookie banner the compliance with the requirements for consent according to GDPR and TTDSG. If these requirements are not met, legitimate interests cannot be invoked, especially when tracking visitors or using personal advertising.
The website operator has already announced that it will appeal against the ruling. Until a legally binding decision, the realisation remains that one’s own data protection compliance should not neglect the topic of cookie banners. Large providers such as Google, Amazon, and national companies are increasingly being targeted by the supervisory authorities.
This can be challenging for companies with a large number of data processing operations on their own website. Unfortunately, industry standards such as the TCF do not currently help. In any case, the use of the TCF does not automatically mean that one is data protection compliant.
We will be happy to assist you with questions regarding the design of your cookie banner, the TCF and all other data protection-related topics.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)