Attention: Simple cookie banner no longer sufficient

Yesterday, the European Court of Justice made a far-reaching decision on the issue of consent to the setting of cookies(see here).

As already written in the article yesterday, some questions remain unresolved and there is still a dispute as to whether the judgment could not concern technically necessary cookies. In fact, the ECJ has not decided on this. The ECJ has only really decided that a preset hook in a check box does not constitute an effective act of consent, which also means that the continued use of a website does not give consent to the specific case of cookie use. Represents.

However, since even the vzbv (which initiated the Planet49 procedure) assumes that technical cookies, i.e. those that check the login status, remember the language selection or allow things like a shopping cart in an online shop in the first place, no problem the discussion on the demarcation is probably more academic in nature. Of course, all kinds of marketing cookies, which are also setting online shops to monitor the shopping behavior or the like, are problematic.

This is all the more true when such third-party cookies are set to monitor and optimize things such as browsing behaviour or previous purchases. Incidentally, it does not matter whether cookies, i.e. text files, are actually used from a technical point of view or whether other new fingerprint technologies are used.

Operators of websites must therefore act, because it is clear that

• • Simple cookie banners that only inform about cookies are no longer sufficient. In Europe, these have long since ceased to be sufficient. However, the German special route is now also history. Of course, this only applies if, for other reasons, one is obliged to inform cookies at all and must obtain a specific consent of the user before setting these cookies, in accordance with yesterday’s decision!
  • Only so-called cookie consent solutions, such as Complianz.io , which provide comprehensive information about the exact cookies set, also respect things like “Do not track” in the browser (which Wordpress, for example, does not do out-of-the-box) and do not release technical cookies until the user has given their consent, are sufficient.
  • The user must have the opportunity to withdraw his consent on the page itself. This possibility must be obvious and easy to achieve. In my case, this information can be found in the cookie policy.
  • For each non-technical cookie, the lifetime of the cookie, the provider, the content, the name and the possible data protection provisions of the provider must be informed.

Of course, there is still the possibility to completely dispense with cookies 😉

There are still many details that will have to be clarified in the coming months either by data protection authorities or, ultimately, by courts. Among other things, this includes numerous questions about what all technical cookies are (i.e. those that are absolutely necessary for the use of functions of the website) and what are not functional cookies.

However, everyone should check their own website, at least in order not to expose themselves to the accusation of having been inactive.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.