On November 14, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit, “BBDI”) released a statement regarding the use of Google Analytics and similar products which involve collection of data concerning the behavior of website users and transmission of such data to the respective third-party provider for use for its own purposes. According to the BBDI use of such third-party services is only admissible with the consent of the respective website users.
The Data Protection Conference (Datenschutzkonferenz, “DSK”), the joint body of the data protection supervisory authorities in Germany, already described the legal requirements for the use of tracking and analysis tools under the GDPR in its "Orientation Guide for Telemedia Providers" (Orientierungshilfe für Anbieter von Telemedien) published in April 2019. This refers in particular to online tools which collect personal data about user behavior and transfer them to the respective third-party provider, allowing the third-party provider to then use the received data for its own purposes. According to the DSK, use of such tracking and analysis tools provided by third-party providers requires the users’ consent.
In connection with this, the BBDI explicitly emphasizes that many website operators continue to use such tracking and analysis tools without obtaining consent in accordance with the provisions of the GDPR. This especially applies for the use of Google Analytics. The BBDI indicates that the use of this service in its current form explicitly requires consent, as Google processes the collected data for its own purposes. According to the BBDI, the same applies for services similar to Google Analytics.
In view of the DSK Orientation Guide, the recently published opinion of the BBDI is no surprise, and it must be assumed that other supervisory authorities will also review the use of tracking and analysis tools with increased intensity. As shown by the press release from the BBDI, it is not excluded that use of such services can be subject to fines if it does not comply with the legal requirements set forth in the GDPR.
In this context, it should be indicated once again that the BBDI does not require consent for all tracking and analysis tools, but rather only for services where the collected data is transferred to a third-party provider so that it can then process this data for its own purposes (e.g. for providing user-specific advertisement on other websites). This also corresponds to the viewpoint of the DSK. In the Orientation Guide mentioned above, the DSK indicates that the use of certain online tools can also be based on a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. However, application of Art. 6 para. 1 lit. f GDPR requires a detailed weighing of interests for the benefit of the website operator, in which the scope of data processing and its predictability for the users play an important role.
In addition, it is important to highlight that use of online tools may also be subject to the rules of Directive 2002/58/EC (the so-called “e-Privacy Directive”). In Germany, in particular after the "Planet49" decision of the CJEU (judgment of October 01, 2019, case C-673/17), it is disputed to what extent the regulations of the e-Privacy Directive implemented in the German Telemedia Act (Telemediengesetz, “TMG”) are at all applicable and whether they might be fully superseded by the GDPR. For instance, in other member states of the EU that have precisely implemented the rules of the e-Privacy Directive, there are also strict standards for the use of online tools which the set up of so-called cookies. According to these provisions, all cookies require consent, unless they are absolutely necessary for the provision of the website (cf. Art. 5 para. 3 of the e-Privacy Directive). For example, this is the case for cookies that are implemented for the provision of a shopping cart function in an online shop. In contrast, cookies that are used in the context of tracking and analysis tools are not absolutely necessary for the operation of the website according to general opinion, and, therefore, require consent under the strictures of the e-Privacy Directive.
We therefore recommend that website operators carefully review the tools that they use and, if not already done, obtain consent if necessary. In this regard, it should also be noted that the use of a service which is subject to consent is only permissible if the consent has effectively been issued by the respective user. Until this time, processing may not occur, and a cookie that requires consent may only be set after consent has been issued.
Regarding the form of consent, the CJEU’s statements in the “Planet49” judgment cited above should be noted as well. This means that effective consent requires an unambiguous action of confirmation, such as through actively clicking a box in a consent template on the website. In contrast, a box that is already checked off or the inactivity of the user cannot establish effective consent in the sense of the GDPR. Accordingly, cookie banners which seek to establish consent simply through a user having surfed on a website are not admissible.
Furthermore, the consent must be issued in an informed manner. This means that website operators must provide information about the type and scope of data processing in connection with the respective tracking and analysis tools used in their privacy policies. If cookies are used by the respective services, the user must also be informed of the functionality and service life of these cookies.