In May 2020, German cookie laws changed after the Court of Justice directed the DSK to adopt GDPR(DSGVO) requirements in its enforcement actions going forward.
This requirement came after the European Union’s Court of Justice (CJEU) delivered its ruling in the Planet 49 case after the Court of Justice in Germany referred this case to the regional court.
Additionally, the determination by the German Court of Justice expanded the scope of the German Data Protection Conference’s (DSK) guidelines for the use of website cookies that were published on April 5, 2019.
Basically, the DSK’s consent guidelines that were published in 2019 focused on the enforcement of the German Telemedia Act (TMG) to telemedia activities such as employing website cookies for targeted advertising after the GDPR (DSGVO) came into effect.
Specifically, the DSK’s cookie guidelines focused on clarifying and improving the previous statement on the use of website cookies that was released in April 2018 prior to the adoption of the General Data Protection Regulation (DSGVO).
Other Data Protection Authorities (DPAs) who have released similar cookie guidelines recently include;
With this in mind, let us explore what it takes to obtain valid GDPR and ePrivacy Directive-compliant cookie consent for your German website.
- GDPR (DSGVO) Requirements Overview
- ePrivacy Directive and Cookie Consent
- The ePrivacy Directive and Planet 49 case
- DSK Cookie Consent Guidelines
- Penalties for non-compliance with German DSK cookie consent guidelines
- German DSK’s cookie consent guidelines’ compliance with Secure Privacy
GDPR Requirements Overview
Adopted in May 2018, the EU’s General Data Protection Regulation introduced strict regulations on how you collect and process the data of EU citizens.
Personal data in this context refers to information that can be used to identify an individual such as;
- A user’s name
- Phone number
- Location data
- IP Address
Based on this understanding, the chief principles of the GDPR are;
- Limit the data you collect to what you really need
Ensure you know all the categories of personal information you gather to avoid collecting unnecessary data.
- Store data within the necessary time
You should implement relevant data retention measures about your users and do away with them when it is no longer necessary.
- Avoid keeping personal data without obtaining valid cookie consent from your users
Obtain clear and affirmative consent from your website visitors before placing cookies on their devices to gather their personal information.
Under the GDPR, the only exception you get under this requirement is when you collect personal data that is absolutely necessary to make
- Exercise transparency when it comes to the data you collect from users
You should reveal the types of personal data you collect, the reasons for collecting it, and who are the recipients of the personal information you collect.
- Use the personal information you collect strictly for the stated purposes
- Ensure that you keep your users’ personal data secure from breaches
- Provide your users a way to delete their account, as well as modify or erase their data
Check out these extra resources to learn more about what you need to do to comply with the GDPR.
ePrivacy Directive and Cookie Consent
In layman’s terms, the ePrivacy Directive states that if you want to access the personal information of your website user by placing cookies on his/her device, you need to seek consent from him/her first.
For you to be considered as having gained valid cookie consent under the ePrivacy Directive, it must be;
- Freely given
- Offer a clear indication of your user’s wishes.
The only exception to this requirement is when access to such information is for strictly necessary reasons such as offering an Electronic Communications Service (ECS) or an Information Society Service (ISS).
However, the key challenge when it comes to the enforcement of the consent requirements in the EU cookie law is that it has been interpreted by most Data Protection Authorities (DPAs) across European countries as a directive for having a simple consent banner on your website.
Similarly, in Germany’s case, this section of the ePrivacy Directive was not being enforced by the German Data Protection Conference (DSK) – the umbrella body of state DPAs.
Why? Because the regulators held the view that the requirements under this clause already exists in the German Telemedia Act (Telemediengesetz)(TMG).
However, all this changed in May 2020 after the European Court of Justice’s (CJEU) ruling in the case involving Planet 49’s use of advertising cookies after the German Court of Justice sought a clarification from the EU’s top court.
ePrivacy Directive and Planet 49 Case
In 2013, Planet 49, a German company, launched an online competition that required participants to provide their name, address, and postcode to sign up.
Additionally, would-be participants were asked to provide consent to two main requirements;
- Marketing communications by post or SMS
- Analytics and marketing cookies
While the box for marketing communications in the cookie banner was left blank, the second box for analytic and marketing cookies was pre-checked.
However, complaints from participants forced the Federation of German Consumer Organizations to file a lawsuit against Planet 49.
The German Court of Justice referred the case to the CJEU for legal interpretation and guidance.
In May 2020, the CJEU delivered its verdict, whereby it determined that Planet 49’s practices violated cookie consent requirements under both the GDPR (DSGVO) and the ePrivacy Directive.
As mentioned above, the ePrivacy Directive states that consent is only valid when it is freely given, specific, and provides a clear indication of the user’s wishes.
It is also important to note that a checkbox is a legitimate way to obtain cookie consent under the EU Cookie Law.
The primary findings of the CJEU in this case are;
- The un-ticked checkbox was compliant with both GDPR (DSGVO) and the ePrivacy Directive
- The pre-ticked box was in violation of cookie consent regulations
- Consent gathered through pre-checked boxes is invalid since it does not satisfy data protection requirements.
It is important to acknowledge the fact that the ePrivacy Directive was not being implemented in full in Germany because some of its requirements were considered to be similar to the German Telemedia Act (Telemediengesetz)(TMG).
What this means is that the Planet 49 decision did not modify the law entirely. Instead, it had one crucial implication:
- German data protection and cookie laws will now be interpreted according to the GDPR and the ePrivacy Directive.
For clarity, this aspect means;
- The consent you receive is considered valid only when it is granted freely
- The consent you obtain must provide a clear indication of the user’s wishes
- If you use pre-ticked checkboxes, the consent you receive is invalid under both the ePrivacy Directive and the General Data Protection Regulation (DSGVO).
- You need to alert your users about the cookies you have on your website in your cookie notice since consent is considered invalid if people are not aware of what they are consenting to.
Our blog gives you a detailed breakdown of the CJEU’s ruling in the Planet 49 Case. Read it here: https://secureprivacy.ai/the-planet-49-judgment-key-takeaways/
How to Comply with German DSK’s Cookie Consent Requirements
To achieve compliance with the German DSK’s cookie consent guidelines, you must;
- Avoid setting tracking cookies until you receive explicit prior consent from your website visitors.
For non-essential cookies such as those set by Google Analytics on your website, you must give your users a way to opt-in to tracking of their personal information.
- Avoid forcing users to accept tracking cookies to access content on your website
- Give users a way to opt-out of tracking cookies
Apart from the essential cookies that are necessary for your website to function well, you must allow users to opt-out of tracking cookies according to the German DSK’s cookie guidelines.
- You do not need to obtain valid GDPR cookie consent for essential cookies
Under the German DSK’s requirements, you do not need to seek user consent to deploy cookies that do not contain personally-identifying information. Similarly, you are not obligated to allow users to opt-out of the deployment of these cookies.
Disclose all the types of cookies you have on your website and the purpose for each in your cookie and privacy policies
- Take precautions with embedded content?
Facebook, YouTube, and other third-party widgets on your websites often deploy tracking cookies. You need to either disable their capability to collect personal data from your users or avoid them altogether.
- Disclose all the cookies you use on your website and communicate the purpose of each to your users in your cookie and privacy policies.
- Do not use pre-checked consent boxes
Learn more about tracking cookies and GDPR compliance here:
Penalties for Non-Compliance with the German DSK Cookie Guidelines
If you are found to be violating the DSK’s cookie consent requirements, you will be subjected to both GDPR and ePrivacy Directive enforcement actions. They include;
- Written warnings from the German DSK
- Fines and other monetary sanctions
- Deletion of the personal information you gather without user consent to tracking cookies
- Cessation or restriction of sharing personal information with third-parties
- A ban on your processing activities, either temporarily or permanently
German Cookie Consent Guidelines Compliance with Secure Privacy
To achieve compliance with the German DSK’s cookie guidelines, Secure Privacy is a powerful, yet reliable solution that is easy to use.
With Secure Privacy’s GDPR compliance tool, you get;
Easily customizable and stylish cookie consent banners to help you manage consents from your users and allow them to opt-in and opt-out the different types of cookies you have on your website in like with ePrivacy Directive and GDPR requirements
Unique Cross-domain consent capability that allows your users to manage their cookie preferences in a single step across several domains
Advanced monthly website scanning to ensure you are aware of all the cookies you have on your website, the type of personal information they collect, their provenance, and the recipients of the data collected.
Prior consent tool to ensure that you do not deploy cookies before users give consent to the collection and processing of their data.
Real-time logs and consent tracking such that you can maintain recoverable records of the consent statuses of your data subject in case they are required by the German DSK.
70+ language support, which enables you to set your cookie consent banner in the language of your target users
Precise Geo-location capability that makes it possible for you to show your cookie consent banner to German users only
A future-proof solution characterized by unique agility to respond to evolving cookie consent compliance regulatory changes.
Check out our video and learn more about Secure Privacy’s Top 6 Enterprise Features; https://www.youtube.com/watch?v=iULVRao0UcY&list=LL&index=5
Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.
You might also be interested in:
Read our full GDPR Cookie Consent Compliance guide: https://secureprivacy.ai/gdpr-cookie-consent-compliance/
Read our detailed on how to make your website compliant with the GDPR: https://secureprivacy.ai/what-is-gdpr-and-how-do-you-make-your-website-compliant/