Update Data Protection No. 102
Coordinated investigation by the German regulatory authorities
- Incorrect sequence: Cookies are already set before consent is given.
- Missing information: The information about the Cookies and tools used is incomplete.
- Insufficient scope of consent: Cookies and tools are active despite denied consent.
- No simple rejection: There is no 'Reject all cookies' option at the first level of the cookie banner or any other simple option to close the cookie banner without granting consent.
- User manipulation: Users are subliminally urged to give their consent, for example, by a colored highlighting of the 'Accept' button (so-called 'nudging').
Finally, the authorities also indicate that they will actively exert influence on the companies in order to establish data protection-compliant conditions; if necessary, this could also include the use of supervisory authority expertise. The prohibition of certain tracking tools or the imposition of fines cannot be ruled out here. As far as can be seen, the investigation has not yet led to any regulatory measures.
With regard to the further points of criticism in items 4 and 5, the following should be noted:
- 'Reject button' at the first level: while various supervisory authorities in the EU, for example, in the UK and France, take the position that there must also be a 'Reject all cookies' button next to any 'Accept all cookies' button at the first level of a cookie banner, the German supervisory authorities and the Datenschutzkonferenz [German Data Protection Conference] have kept silent in the past with regard to this point. From the published press releases, it can be seen that the German supervisory authorities involved in the investigation are now also tending towards this point of view. It is therefore to be expected that the German authorities involved will also enforce this view against providers of telemedia in future. It should be noted, however, that this point has not yet been decided by a higher court and that not all individual supervisory authorities in the EU necessarily require a 'Reject all cookies' button at the first level. Against this background, it is advisable to keep an eye on further developments. If, on the other hand, website operators want to avoid regulatory proceedings, it is advisable to follow the opinion of the authorities involved in the investigation and to include a 'Reject all cookies' button at the first level of the cookie banner.
Conclusion and recommendation
The investigation and evaluation by the authorities contain relevant information with regard to several points, while for other points, there is merely a positioning with regard to unresolved legal issues. In addition, many detailed questions remain open. In such cases, it would be desirable for the German supervisory authorities and the Datenschutzkonferenz to take a clear position. However, looking at the current status, a relevant statement from the authorities is not expected to be issued before winter 2021. Those close to the authorities say that the introduction of the new Telekommunikations-Datenschutzgesetz [German Telecommunications-Telemedia Data Protection Act (TTDSG)] is to be expected. In the meantime, it is advisable to check the legal conformity of the specific Cookies and tools used for the points stated and to determine possible scope for argumentation by means of a risk decision. This applies in particular with regard to the integration of a 'Reject all cookies' button and the different colored designs of the buttons used in the cookie banner or CMP.