The European Court of Justice (ECJ) and the German Federal Court of Justice recently decided that the active consent of a website user is required for a website to set cookies for tracking and marketing purposes. But, the judgments haven’t been 100% clear as to what that means regarding some details. The Regional Court in Rostock, Germany, continued this case law in a current judgment, closed some gaps, and made life a little more difficult for website operators moving forward.
Background on User Cookie Consent
In May, the German Federal Court of Justice in the Planet 49 case made the decision that website operators need active consent from users to set cookies to store and analyze user behavior on their websites (judgment of May 28, 2020, Az. I ZR 7 / 16). The court expressly stated that “preset checkboxes” (opt-out) do not represent effective consent.
In the current case, judged by the Rostock Regional Court (judgment of 15.09.2020, Az. 3 O 762/19), the Federation of German Consumer Organizations warned a website operator who had used various cookies and tracking services, including Google Analytics. The operator had implemented a consent tool from Cookiebot on the website. However, it was configured in such a way that checkboxes for the categories “Necessary,” “Preferences,” “Statistics,” and “Marketing” were preselected for the user.
The Interesting Part of the Cookie Consent Verdict Begins
After the warning, the website operator changed the configuration of the consent tool. The checkmarks were gone from the user interface. Instead, the banner contained a green button “Allow cookies” and a light gray button “Allow only necessary cookies.” When the user clicked on the green button, all previously pre-selected cookies were set.
Similar designs are meanwhile widespread and take advantage of the laziness of the visitor, who often doesn’t read the consent instructions, but instead, simply “clicks away” the banner with the most conspicuous button (so-called “nudging”).
In the opinion of the Rostock Regional Court, however, no effective consent can be obtained even with a consent tool configured in this way. The court stated,
“Effective consent is therefore not possible with the cookie banner now in use. Because here too, all cookies are preselected and are ‘activated’ by pressing the green ‘Allow cookies’ button. (…) The consumer has the option of viewing the details and deselecting individual cookies. However, the consumer will regularly shy away from the effort of such a procedure and therefore press the button without prior information about the details. The consumer does not know what the implications of his declaration are.”
In the opinion of the court, the fact that the reject button was highlighted in gray also leads to the ineffectiveness of the consent,
“The fact that the user also has the option of restricting his consent to technically necessary cookies via the ‘Use only necessary cookies’ area with the cookie banner now used does not change the assessment. In this respect, it should be noted that this button cannot be recognized as a clickable button. In addition, it takes a backseat to the ‘Allow cookie’ button, which is highlighted in green and therefore appears to be pre-assigned. This option will therefore regularly be perceived by a large number of consumers as a non-equivalent consent option.”
What Should Website Owners and Operators Do
The Rostock Regional Court decision puts a stop to nudging. Website operators who have previously used an optimized consent tool and now want to reduce the risk of a warning should make adjustments.
With the judgment in place, it’s recommended that website owners and operators:
Ensure that a “Reject” option is included in the banner. Designs where the user is referred to a submenu where he/she can deselect cookies carry the risk of a warning.
Ensure the “Reject” option (or an “Only use necessary cookies” button) is not visually hidden or minimized in comparison to the “Allow all cookies” button.
Cookie Consent Banners Don’t Have to Include a Possibility of Revocation
The Rostock judgment still holds good news for website operators. The court stated that the cookie banner itself doesn’t have to contain any information about the possibility of revoking consent. Art. 7 Para. 3 Clause 3 GDPR says that the user must be informed about the possibility of revoking consent. However, it doesn’t say that the option to revoke be included in the banner itself. A note in the data protection declaration is enough.
Felix Gebhard is a lawyer and certified data protection officer. Since 2013, he has worked for the law firm BPM Legal in Munich, Germany. BPM Legal primarily advises companies in eCommerce and IT on all relevant legal issues and with a special focus on data protection.