Cookie notice obligation: Information on the EU Cookie Directive
What website operators need to know about the cookie notice obligation
When redesigning or revising a website, the first questions that arise are about content and design. At the same time, website operators are confronted with the often annoying topics of data protection notices, cookies, third-party state transfer and consent banners. Our experience from advising lawyers shows that there is a lot of uncertainty in this area. In addition, new regulations of the Electronic Communications Digital Services Data Protection Act (TDDDG) have been in force since December 1, 2021. This is reason enough to take a closer look at the legal framework for data processing on websites.
Introduction - Data processing and legal framework
A wealth of website visitor data is processed when a website is operated. The browser transmits data - such as the IP address - to the server simply by accessing a website. For example, if someone fills out a contact form, the data entered is also transmitted.
Depending on the range of functions and services used, cookies are also regularly used. Cookies are text files or information in a database that are stored on the website visitor's hard drive and assigned to the browser used. This can be used, for example, to ensure that the shopping cart filled in the online store is still filled on the next visit or to analyze the behavior of visitors.
The legality of data processing is primarily based on the provisions of the TDDDG and the General Data Protection Regulation (GDPR).
TDDDG - validity since 01.12.2021
With the TDDDG, the German legislator has implemented the European requirements of the ePrivacy Directive. Among other things, the TDDDG regulates the protection of privacy when using terminal equipment, regardless of whether or not there is a personal reference. Section 25 TDDDG is of particular importance for website operators.
If information is stored in the terminal equipment of website visitors (e.g. PC or tablet), the consent of the data subjects is generally required. This is particularly the case when cookies are set. Consent is also required if access is made to information that is already stored in the terminal equipment (Section 25 (1) sentence 1 TDDDG).
However, there are two exceptions to the principle of requiring consent in Section 25 (2) TDDDG, with No. 2 being relevant for websites. According to this, consent is not required if storage or access is absolutely necessary and users expressly wish to use the digital service (the website).
The following are regularly regarded as strictly necessary cookies, which therefore do not require consent: "shopping cart cookies" and the use of cookies or comparable technologies for authentication or storage of user preferences. Cookies and technologies that are used solely for marketing and advertising purposes of online offers are generally not absolutely necessary.
GDPR - validity since 25.05.2018
The GDPR serves to protect natural persons with regard to the processing of personal data. The prohibition laid down in Art. 6 GDPR applies with reservation of permission. Accordingly, the processing of personal data is generally prohibited unless the provisions of the GDPR or other legal regulations permit or require this or the data subject has consented to the processing.
The exact delimitation of the scope of application of the TDDDG and the GDPR has not been finally clarified even among lawyers and would go beyond the scope of this article. There are two points to remember in practice. Firstly, consent under the TDDDG can generally be obtained at the same time as consent under data protection law. Secondly, as a rule - in the area of cookies and similar technologies - no consent will be required under the GDPR, unless such consent is required under the TDDDG.
Current example - use of Google Fonts
We recently reported on the use of Google Fonts. With reference to a recent decision by Munich Regional Court, extreme caution is required here.
In the opinion of the Munich Regional Court (judgment of 20.01.2022, Ref.: 3 O 17493/20), the use of Google Fonts cannot be based on a legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR under data protection law if the IP address of website visitors is transmitted to Google in the USA.The subject of the decision was the use of Google Fonts on the defendant's website. Google Fonts is an interactive directory with over 1,300 fonts provided by Google LLC for free use. In order for a font to be displayed correctly when a website is accessed, it must be made available to website visitors. Google Fonts offers a convenient solution in this respect: when the website is accessed, a connection to Google's servers is established and fonts are loaded automatically.
The defendant had also chosen this method. The problem with this design is that the IP address of users is transmitted to Google - including the IP address of the plaintiff.In its ruling, the Munich Regional Court first clarified that dynamic IP addresses are personal data for website operators. Furthermore, the Munich Regional Court ruled that the transfer of personal data could not be based on a legitimate interest of the operator within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR. This was not the case, as fonts could also be integrated locally on the operator's own server and it was therefore not necessary to transmit the IP addresses to Google. In this context, the Munich Regional Court also clarified that users are under no obligation to conceal their IP address.
The court ultimately found that the plaintiff's right to informational self-determination had been violated and ordered the defendant to refrain from disclosing the IP address to Google. It also awarded the plaintiff damages in the amount of €100.00.Website operators who use Google Fonts should definitely check whether a connection to Google's servers is established when the website is accessed. If this is the case, this practice should be discontinued. The good news is that it is technically possible to ensure the provision of fonts without transmitting data to Google. Alternatively, it is possible to integrate fonts locally on your own server. To do this, the Google fonts used must be downloaded and hosted locally. Consent is not required in this case.
Consent - Consent/cookie banner, but correctly
If the consent of data subjects is required under the TDDDG or the GDPR, the implementation of a consent management system together with a consent banner ("cookie banner") is generally required. This can ensure that data subjects give effective consent.
According to Art. 4 No. 11 GDPR, "consent" of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
In practice, however, cookie banners often have numerous shortcomings. If inadequate solutions are used, there is a risk that consent will be ineffective and data processing will be unlawful.
The data protection authority responsible in NRW - the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia - found during an audit of websites in 2021 that most of the websites audited did not comply with the legal requirements for the use of cookies and other tracking technologies. In our experience, cookies are often set before consent has been given. In some cases, users are not given a real choice or the rejection of cookies is only possible via detours. In addition, users are manipulated via the design of the banner and thus subliminally urged to give their consent (so-called nudging).
Do not forget current data protection notices
Website operators must inform data subjects in accordance with Art. 12 et seq. GDPR about the processing of personal data. For this purpose, data protection notices should be kept available which cover the data processing that takes place on the website. If a new service is added, the data protection information should also be supplemented/revised accordingly.
What now? Practical advice from the law firm TRÖBER
Website operators should note the following for legally compliant data processing on their own website:
1. check which data is processed as part of the operation of your website. Functions and services can often be deactivated and the associated data processing terminated, as functions and services are not used on closer inspection.
2. check whether consent is required for the subsequent processing. In this case, a consent management solution and banner should generally be implemented.
3. if data - for example when using US service providers - is transferred to third countries outside the EU/EEA, particular caution is required. The use of these services should be checked.
This information is of course no substitute for technical support in setting up the website or for a legal review in individual cases.
About the author
Lawyer Tröber is a specialist lawyer for IT law and has been working in all areas of information technology law for around 25 years. You can find his law firm, which specializes in IT law, intellectual property law and data protection law, here.
Do you need help customizing your cookie notice?
We will be happy to look after your website, answer your questions about the "cookie notice" and carry out the adjustments to the cookie banner directly and easily. We look forward to your inquiry!
