Even in the past, the use of such cookies and tracking tools was the subject of much debate since, in the opinion of many, Germany has not fully and more importantly correctly implemented the so-called Cookie or E-Privacy Directive (Directive 2002/58/EC). As a result, website providers frequently asked themselves the question for example whether there was previously a need to obtain consent (opt-in) from the users in Germany, or whether it was sufficient to add information in the form of a so-called cookie banner, drawing the attention of the website user to the possibility of objecting to the tracking (opt-out).
The opinion that tracking requires such express consent - which must satisfy the criteria of Art. 7 GDPR - is now supported by the German supervisory authorities in a position statement of the Conference of Independent Data Protection Authorities of the German Federation and Länder ("DSK") dated April 26, 2018. Specifically, the DSK assumes that the previous regulations of the TMG are replaced by the requirements of the GDPR. Consequently, Art. 6 (1) GDPR is the legal basis for processing of personal data in the online sector. However, the DSK is of the opinion that only consent can be considered as legal basis for the use of tracking mechanisms that make the internet conduct of users traceable and for creating user profiles.
For companies, this means that the use of tracking tools on their websites must be subjected to a thorough check. If tracking is not possible in anonymized form - this is typically not the case if the tracking is for the purpose of planning advertising campaigns - companies must check the specific form of tracking. Generally speaking, the argument that every form of tracking requires consent, as called for by the DSK, appears less than convincing. It is by all means also conceivable that, depending on the nature and scope of the tracking, other legal basis, most importantly Art. 6 (1) lit. f) GDPR, can be used. However, it must be noted that the supervisory authorities object to the use of the tracking tools in their position statement, and might therefore try to impose fines consent not being obtained. Because the question of directive-conform implementation of Directive 2002/58/EC in Germany remains unanswered, the substantial fines possible under the GDPR mean that companies must consider very carefully whether they wish to risk a dispute with the German supervisory authorities.
One can only hope that the European lawmakers will soon conclude the negotiations concerning the E-Privacy Regulation in order to remove this legal uncertainty.