Active user consent is required, while previously practiced opt-out mechanisms are unlawful

The facts of the case

The case relates to an online lottery organised by Planet49 GmbH (Planet49). Prior to participating in the online lottery, website users were required to enter their name and address and were provided with two checkboxes before they could click the participation button.

The first checkbox requested the user’s consent to receiving marketing information from selected sponsors and partners. The second checkbox allowed Planet49 to set cookies to track the user's behaviour online. While the first checkbox was not pre-ticked, the second checkbox was. Participation in the online lottery required at least one checkbox to be ticked.

In the description next to the second checkbox, users were provided with brief information on the cookies’ purposes, on the provider of the web analytics service, on the fact that users could delete the cookies at any time and that Planet49 would be setting the cookies. By clicking a link in the description (“You can read more about this here”), users were provided with further details on the cookies placed, including a short description of the function of the cookies and the fact that the cookies would track users’ activities on the websites of advertising partners who registered for the web analytics service in question. The website further specified that no user profiles involving multiple advertising partners would be created.

The German Federation of Consumer Organisations (“Verbraucherzentrale Bundesverband”) claimed that such checkboxes were not in line with German law and the case ultimately reached the BGH, which referred it to the CJEU. Among other things, the German court requested a preliminary ruling by the CJEU on whether pre-checked boxes constitute valid cookie consent. In its decision passed in October 2019, the CJEU stated that pre-ticked checkboxes do not qualify as valid consent to the use of cookies and that such valid consent must comply with the consent requirements as laid out in the General Data Protection Regulation (GDPR), thereby confirming the EDPB’s position in its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR. The European court further pointed out that users must be provided with comprehensive information about both the validity duration of the cookies as well as third-party sharing. Overall, the CJEU judgment confirmed the approach that the EDPB and national data protection authorities had adopted from an early stage. The CJEU asserted that while consent for using cookies and other online tracking methods and techniques (e.g. flash cookies, tags, scripts, pixels, device fingerprinting, etc.) is currently governed by special legal norms under the ePrivacy Directive, it is also subject to the requirements for consent set out in the GDPR.

The BGH’s take on the CJEU judgment

The German ruling was eagerly awaited by website operators and particularly the German online marketing industry in light of the uncertainty as to whether advertising cookies require consent, as is the case in most European countries. In its judgment of 28 May 2020, the German court followed the decision passed by the CJEU in October 2019 and the EDPB Guidelines 05/2020 on consent, clarifying that the default setting of pre-ticked checkboxes does not amount to valid consent to the use of non-functional cookies.

While this verdict was not surprising, the judges finally clarified that consent is required for profiling in the context of online marketing. Moreover, the court included some interesting remarks on the applicable laws and contradicted recent views expressed by German data protection supervisory authorities and the German Data Protection Conference (“Datenschutzkonferenz”) on the further applicability of Section 15(3) of the Telemedia Act since the GDPR entered into force. The court held that the latter provision is still in force and thus is not superseded by the GDPR. Notwithstanding the wording of Section 15(3) of the Telemedia Act (which suggests that pseudonymous user profiles can be used for marketing purposes on an opt-out basis), however, the court held that this provision must be interpreted in conformity with the EU Cookie Directive to require consent (i.e. opt-in) for such profiling.

Key implications for businesses

Regardless of the partly controversial reasoning provided by the BGH, the judgment brings much-anticipated legal certainty around cookie-based online tracking in Germany: GDPR-type prior consent is indeed required. If they have not done so already, website operators should pay particular attention when reviewing their cookie notices and overlays. More specifically, when using cookies that require consent, website operators should bear in mind the following:

• Cookie consent mechanisms should be reviewed and any pre-ticked checkboxes removed. The use of such pre-checked consent boxes does not lead to valid cookie consent.
• Cookie overlays and banners should be checked for legal compliance, also with a view to potentially critical layouts or “nudging”.
• Cookie notices should be reviewed with a particular focus on transparency and whether they provide all the relevant information to users, including the validity duration of cookies as well as details on third-party sharing.

Compliance with the requirements outlined above will be essential in order to avoid being subject to investigations by regulators or receiving cease-and-desist letters from competitors or consumer associations. This is all the more important as many German regulators have already announced that they intend to launch proactive checks and investigations in this regard.

* As at the date of this bulletin, the full opinion of the court is not yet available so all statements made refer to the press release.