The ECJ has just ruled on the subject of cookies in the Planet49 case(see this article). Because of this procedure and my mail, I have received some inquiries from clients and was of course able to advise them. However, since a question arose relatively often, I would like to answer it briefly in the context of this article.

It is a question of whether a cookie banner must also be displayed on the site when the pure use of technical cookies, such as the PHP session cookie. And the answer is “No, you probably don’t have to, but…”.

Although some points have currently been clarified by the ECJ, such as the connection of sweepstakes and the setting of cookies, some questions remain unresolved. The ECJ did not have to resolve many questions, as they were not part of the referral to the Court of Justice. It is clear, however, that the German special route via the TMG is now history and therefore the mere clarification about non-technical cookies is not enough. Qualified consent to the setting of cookies for non-technical cookies is required. This has been the case throughout Europe for a long time and now the rules of Article 5(3) are probably also for “Germans” in principle. 3 of the EU Directive 2002/58/EC, even if, purely formally, it is only a directive and not a regulation.

This means that Germany would have to ensure that the use of electronic communications networks for the storage of information or access to information stored in the terminal equipment of a subscriber or user is only permitted on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, in particular on the purposes of the processing, and is informed by the controller of the right to refuse such processing.

Cookies must therefore be pointed out, they must be able to be refused and if you agree to the storage, you must be fully informed about the contents of the cookies. For me, this takes place on the cookie policy page.

According to current legal opinion, this does not apply to technical cookies, as the upper rule should not prevent technical storage or access if the sole purpose is to carry out or facilitate the transmission of a communication over an electronic communications network or, where strictly necessary, to provide an information societyservice explicitly requested by the subscriber or user .

This therefore means that there is no need to inform about the setting of technical cookies. For data protection reasons, however, it is of course necessary to inform about the storage in the data protection declaration, because – as nonsensical as I personally think – the general legal opinion is that a simple IP address is also personal data and also in the case of Technical cookies are stored in the cookies and consequently also in the databases of the websites or in the cache files of PHP, WordPress etc. The cookie banner can then be saved, however, of course a consent banner, which are usually only possible via paid plugins.

but. The krux may be in the detail, because in principle it is defined what a cookie banner is, but the interpretation of the standard can of course cause demarcation difficulties. Is a cookie that automatically remembers languages on a website really ESSENTIAL for the operation of a website? Is a cookie that stores search preferences really ESSENTIAL? Or a cookie that simplifies data entry when shopping in a shop? This is difficult to say and could lead to warnings and claims for damages if courts eventually see it differently. There are still many details to be decided in doubt. The nerve factor is also not to be neglected, possibly to risk a warning, because a warning association notices that a website sets cookies (the browser shows this), but no cookie banners are present. Even if you end up winning a court case, you have to wonder if it was worth the time.

An alternative would therefore be the following clear indication:

Only technical cookies are used on our site. No personal data will be processed. Since the setting of these cookies is technically mandatory for the provision of the proper presentation of this website, explicit consent on your part is not required. The details of the technical cookies can be found in our data protection policy/cookie guideline.

This should certainly deter potential warnings.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Bank Damages Data protection Law Information IP address KI Personal data Privacy Regulation Warning