Beware of cookie notices

by Katrin Nebermann

In particular, the Bavarian State Office for Data Protection Supervision (BayLDA) is currently taking action against website operators who use so-called cookie banners in connection with tracking solutions. See also

https://www.lda.bayern.de/media/pm2019_2.pdf

https://www.lda.bayern.de/media/sid_ergebnis_2019.pdf (from slide 20)

Many data controllers mistakenly believe that these references to the use of cookies are helpful, necessary or even sufficient for obtaining consent under the EU General Data Protection Regulation (GDPR).

In fact, cookie banners are not only annoying for users, they are misleading, especially in the context of the GDPR, and can even have a negative legal impact.

Why are cookie banners counterproductive with regard to the GDPR?

According to Article 6 GDPR, cookie identifiers may only be used if at least one of three conditions is met, namely:

1. Cookies are legally and technically absolutely necessary, for example, to place an order or so that users can log in.
2. The data processed by cookies helps the website operator with a legitimate purpose, while the impact on the user’s privacy must not outweigh this.
3. The user has consented to certain cookies being set.

Let us now take a look at the effects on obtaining consent and the associated data protection notices for each of the three requirements:

Case a)

Necessity: In the actual privacy policy of your website, you should explain that cookies are used, the basic functionality of cookies and which cookies you use, what they do, their duration and whether third parties have access to the cookies. A simple cookie notice a la “In order to optimize our website for you and to be able to continuously improve it, we use cookies.” is not sufficient. Similarly, it is not necessary to refer to the privacy policy by means of a pop-up. A link in the footer of each page, for example, is sufficient.

Case b)

Balancing of interests: If cookies are used for so-called legitimate purposes, in addition to a passage on cookies in the privacy policy, information must also be provided on the purposes of their use and the user must be given the opportunity to object to data processing in the future. As under (a), a simple cookie notice is neither necessary nor sufficient.

Case c)

Consent requirement: If the use of cookies encroaches more strongly on the privacy of users, for example if third parties gain access to the data, sensitive data is collected or cross-website user profiles are created, cookies used for this purpose may only be set if the user’s consent has been lawfully obtained. Legality requires that

• consent is voluntary and users can also simply refuse or close consent banners.
• the consent is informed with regard to purpose, scope, disclosure to third parties, etc.
• consent is given explicitly and users actively agree, i.e. not in this way: “By continuing to use the website, you consent to the use of cookies.”
• consent is given in advance before cookies are set and data is collected.
• consent is differentiated and users can also agree and refuse individually for different purposes, types and solutions.
• the consent is documented and can be proven.

As you can see, obtaining lawful consent is not that easy. A simple cookie notice does not meet the requirements under any circumstances. So if you need consent, no half measures will help.

A cookie banner therefore does not help in any of these three cases, but rather harms. On the one hand, the notices annoy your visitors, and on the other hand, the data protection authorities are bothered by them. Cookie banners give the impression that the tracking and setting of cookies is based on the user’s consent. And then the supervisory authorities rightly say: If the setting of cookies is based on the consent of users, the consent must be lawful: Cookie banners do not mean real consent, i.e. no GDPR-compliant tracking. According to the GDPR, it is therefore better to avoid cookie banners, as they do more harm than good.

What about the cookie policy?

In a nutshell: Unfortunately, things get complicated outside Germany. The reason for this is the so-called Cookie Directive, more precisely: Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Article 5(3) states:

Member States shall ensure that the use of electronic communications networks for the storage of or access to information stored in the terminal equipment of a subscriber or user is only permitted on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, in particular on the purposes of the processing and is informed by the controller of the right to object to such processing.

Most cookie notices do not meet this requirement either, as comprehensive information is required as well as the option to refuse. It is unclear whether the directive requires consent before cookies and data processing are set. The directive has therefore been implemented very differently in EU member states, sometimes with a requirement for consent (opt-in), sometimes without (opt-out). In Germany, it was never transposed into national law, although the deadline for this was 2011. It is therefore advisable to observe the national law of the respective EU country in which the website operator is based. In addition, legal practice can differ from one Member State to another, as can the interpretation of the legislation by the supervisory authorities of the respective country.

In order to offer our etracker customers the greatest possible legal certainty, we have undergone a review process by independent experts who have certified compliance with the provisions of the EU General Data Protection Regulation (EU GDPR) and the new German Federal Data Protection Act (BDSG new) with the ePrivacyseal data protection seal of approval. The award of the seal explicitly certifies that the processing is covered by the legitimate interest of the website operator and that there is therefore no requirement for consent. In direct dialogue with Professor Dr. Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information, we also received confirmation that there is no general requirement for consent before cookies are set, but that it depends on the type of data processing.