Current legal situation regarding the use of tracking tools on websites

The validity of cookie banners commonly used on websites these days is in doubt. Cookie banners are used on websites to obtain the required consent under the German Telecommunications Telemedia Data Protection Act (TTDSG) or the General Data Protection Regulation (GDPR). However, Munich Regional Court I has now ruled that the cookie banner on Focus-Online, which the operator believes is customary in the market, violates the TTDSG and is therefore inadmissible (Case No.: 33 O14776/19). In light of this potentially landmark decision, it is unclear whether the now common practice of making use of the (publishing company’s) website dependent on consent to cookies and, in the event of refusal, requiring a subscription for use, is legally compliant. At the end of this data protection update, you will find information on how companies should act now.

A. Background

Most websites track users, for example by using cookies. Cookies are small text files that are stored in the browser by means of a characteristic string of characters, allowing user-related information to be channelled to the entity placing the cookies. These may be the website's own cookies or third-party cookies (e.g. Google Analytics). On the one hand, these may be necessary to ensure the technical functions of the website. There is no consent requirement for cookies that are absolutely technically necessary (Art. 6 (1) (f) GDPR; Section 25 para. 2 no. 2 TTDSG). On the other hand, cookies that are not technically necessary are also used to improve the user experience, advertise, or improve the interactivity of the website. In principle, these require consent (First sentence of Section 25 para. 1 TTDSG). Cookie banners are regularly used to obtain the consent of the respective user, but this often does not meet the requirements for legal compliance.

The data protection supervisory authorities particularly emphasize the need for the express consent of the user concerned.

• The Berlin Commissioner for Data Protection and Information Security criticizes the fact that consent by means of cookie banners regularly fails to meet the requirements for the voluntary and informed consent of users, especially when the consent requests are embedded in incomplete or misleading information and captions. It must be just as easy for users to refuse tracking as to consent to it (State Commissioner for Data Protection and Freedom of Information (LfDI) Berlin, press release dated August 9, 2021).
• The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) goes one step further and considers cookie banners insufficient for a privacy-compliant declaration of consent (BfDI, press release dated November 14, 2019).
• The Belgian data protection authority also classifies today's leading standard for cookie banners as inadmissible (Belgian Data Protection Authority, February 2, 2022).
• The Rostock Regional Court has also ruled similarly, deeming the pre-set consent (“opt-out”) insufficient for effective consent (Rostock Regional Court, August 11, 2020).

B. Decision of the Munich Regional Court

The use of cookie banners to request consent is also common on the websites of newspaper publishing companies. As early as 2020, a large number of supervisory authorities announced a cross-border audit of tracking technologies on websites of newspaper publishing companies (LfDI Baden-Württemberg, August 19, 2020). At the same time, the Federation of German Consumer Organizations (VZBV) instigated a series of court proceedings on the question as to how permissible cookie banners on websites are.

Munich Regional Court I ruled as the court of first instance in such proceedings for the first time in late November (Case No.: 33 O14776/19), not disclosed until December 19, 2022: The cookie banner used on FocusOnline violates the TTDSG. If there is a lack of clear and differing design in the cookie banner consent request, then cross-domain records of user behavior for analysis and marketing purposes are inadmissible.

In particular, VZBV criticized Burda's "two-step" approach. First, a pop-up window opens. This either allows consent to cookie collection or more detailed settings. VZBV also accused Burda of collecting personal data despite users refusing to provide consent at the first level.

I. Voluntary nature of consent

Specifically, Munich Regional Court I stated that the cookie banner comprising 141 pages which was the subject of the proceedings was not suitable for obtaining the informed and voluntary consent of users. On the one hand, the cookie banner in question was far too extensive. The average consumer does not appreciate long documents to the extent that voluntary consent may be assumed. The court states that voluntary consent only exists if the user actually has a choice. However, there is only a choice if consent may be refused without disadvantage. In view of the speed of the Internet and the 141-page cookie banner in question, users would suffer considerable disadvantage if they wished to refuse consent. In the view of the court, this is reinforced by the use of what are known as dark patterns, whereby the "Accept" button is moved to the foreground, in color. This is obviously the fastest way for users to use the website. The court rejected Burda's argument that such cookie banners were customary in the market and that consumers knew what they were getting into without actually having to take note of all the pages of the cookie banner.

What is more, the court did not view Burda's response, that the cookie banner used was based on the Transparency and Consent Framework TCF of the advertising organization IAB Europe, satisfying the legal requirements, as valid. The Belgian data protection authority declared the TCF inadmissible back in February (Belgian Data Protection Authority, February 2, 2022). Munich Regional Court I has now made a similar ruling. Personal information is collected within the TCF with the consent of users being passed on to several hundred third parties via a single click, as identification is possible through the transmission of the IP address.

In the view of the court, the necessary express consent cannot be obtained via the cookie banner used by Burda.

II. No legitimate interest as an exception to the consent requirement

Nor, according to the court, is there any exception tothe consent requirement. Even though publishing companies complain that it would scarcely be possible to refinance journalistic content without data processing, these are purely subjective interests. This is not covered by the exceptions of Section 25 para. 2 TTDSG, however. Cookies used for cross-domain tracking for analysis and marketing purposes are not technically essential for the operation of a news portal.

C. Recommended action

The decision of Munich Regional Court I is not yet final and absolute. Burda has announced that it will appeal the ruling. Despite the possibility of successfully challenging the decision of Munich Regional Court I in the second instance, there is an urgent need for companies to design cookie banners in an undoubtedly legally-compliant manner. Violations may result in the imposition of fines.

We recommend the following measures to ensure that companies’ consent requests on websites are legally compliant:

(1) To start with, standards arising from practice, such as the TCF, cannot be used without hesitation and should therefore not be used;

(2) Checks as to whether use of the cookies in question requires consent. There are exceptions pursuant to Section 25 para. 2 TTDSG:

• If no consent is required, then a description in the privacy notices of the specific processing by the tools used is all that is necessary.
• In contrast, consent is generally required for the use of cookies that are not technically necessary.

(3) If consent is required, the following requirements must be observed in particular:

• No data sharing before consent: Ensure via technical means that there is no further tracking and no unnecessary cookies are stored in the user's browser while the cookie banner is displayed;
• No restriction of access to legal notice or privacy policy due to cookie banners;
• No opt-out of the consent request; an opt-in procedure must be used, i.e. consent must be actively declared (the relevant box must be checked on the website);
• No highlighting in color (“dark patterns”) of the "Accept" button;
• Rejection must be just as easily accessible and possible with as little effort as accepting the cookie banner;
• Normal user behavior, such as scrolling down, may not be interpreted as consent;
• Comprehensive transparency must be maintained in the privacy statement with regard to the purposes of the processing, so there must be a separate chapter for each tool used;
• Clear, distinct, and understandable wording. Even long cookie documents can thus be legally compliant; however, in view of the ruling of Munich Regional Court I, the information in the cookie banner must be reduced to the necessary minimum level of transparency and information.
• Reference to the option to revoke. This declaration must be as simple as the consent declaration;
• Checks as to whether the technical design of the cookie banner is consistent with the information in the privacy policy.

D. Conclusion

The specific design of the consent request on websites essentially depends on the individual circumstances, in particular the choice of tracking tools used. We have developed a website compliance concept for appropriate and case-specific advice which includes a case-specific analysis of the website, ascertainment of the (tracking) tools used, and, above all, an examination of how legally compliant the use of these tools is (e.g. Google Analytics). Please do not hesitate to contact us. Following the above ruling, the question remains as to whether the current approach of the major publishing companies, which makes it mandatory for users to decide between general consent to the use of tracking tools and the conclusion of a separate subscription, is permissible. However, there is now a first-instance court decision regarding the design of cookie banners, at least, meaning that the operators of such platforms with subscription services must react.