The ePrivacy Regulation through the back door: tracking only with consent?

Even at the end of the first quarter of 2019, there is no agreement on the ePrivacy Regulation in sight at European level: In the search for a compromise, the European Council has merely submitted new discussion papers. Meanwhile, it cannot be assumed that it will enter into force before 2020 and that it will be implemented within a further two years. Thus, the ePrivacy Regulation originally planned as a “sister law” to the GDPR will be delayed by at least three and a half years.
This leaves the question open as to whether the ePrivacy Regulation will require users’ consent (i.e. a genuine opt-in) for cookies and other tracking mechanisms used for advertising purposes.
We have already informed about the position of the German supervisory authorities in cases of tracking for advertising purposes on the basis of existing law (i.e. the GDPR and the German Telemedia Act). Now the signs for an “anticipatory implementation” of the ePrivacy Regulation by the (German) supervisory authorities with the means of the GDPR are intensifying.

The German Data Protection Conference position paper

In April 2018, the German Data Protection Conference, which is composed of the data protection authorities of the federal and state governments, issued a position paper stating that, in its opinion, the legal basis for the use of tracking mechanisms for advertising purposes is not a legitimate interest of the advertiser, but merely the consent (opt-in) of the user.
Of course, such a position paper is only a public authority “opinion”. It does not have any real legal effect, such as a court decision or a law. Nevertheless, it clarifies the position of data protection authorities with regard to the interpretation of existing law. However, a follow-up paper announced for the end of 2018 remains to be seen.

The Bavarian State Office for Data Protection Supervision now announces “consequences”

At the beginning of February, the Bavarian State Office for Data Protection Supervision (BayLDA) announced that it would actually take action against tracking for advertising purposes on the basis of the GDPR, provided that this is done without the user’s consent.
On the occasion of “Safer Internet Day”, the BayLDA published the results of an investigation of 40 “Bavarian” websites into their GDPR conformity. The BayLDA assumed without further explanation that the use of tracking tools not only required information in a data protection declaration, but also the consent of the visitors.
In a further step, the BayLDA made it clear that the required consent does not have to take the form of an informational “cookie banner” (originally based on the British model), which is already widely used today, but rather in the form of a “consent popup”, which asks for real consent in the sense of Art. 7 GDPR. (By the way, the supervisory authorities in Austria and the Netherlands seem to see this in a similar way).
In the opinion of the BayLDA, the “cookie banners” frequently used so far are not sufficient for the allegedly required consent (source: BayLDA).

The BayLDA announced that it would “examine” the imposition of fines for violation of this assumed GDPR violation. The data protection authority of Lower Saxony is hearing something similar; from Hesse, on the other hand, it is announced that a uniform position must first be found. There have been no decisions in this respect so far.

Our assessment

As already indicated, this unexpectedly clear position of the Bavarian supervisory authority is still astonishing, since, firstly, the GDPR expressly recognises legitimate interests as a legal basis for online marketing in recital 47 (old version) and, secondly, the discussion about a change in this legal status through the ePrivacy Regulation continues as described. We therefore recommend continuing to rely on the “conventional” solution with a simple opt-out notice in the privacy policy.
With regard to the position of the BayLDA, which outragedly states that 40 out of 40 websites examined do not comply with the alleged tracking requirements of the GDPR, the well-known joke of the wrong-way driver on the motorway should be mentioned, who hears on the radio how he is warned about and asks himself with regard to the cars on his way: “A wrong-way driver? Hundreds! It remains to be hoped that the BayLDA will take hold of its own forehead and reconsider its own position until an agreement has been reached on the ePrivacy Regulation.