The use of advertising cookies, especially across websites, quickly constitutes a violation of the GDPR and can lead to warnings. This has now also been decided by the Munich Regional Court in a case brought by the Federation of German Consumer Organizations against Focus. The court in fact prohibited BurdaForward GmbH from using tracking cookies to evaluate user behavior for advertising and analysis purposes without effective consent. BurdaForward GmbH, which belongs to the Burda media group, operates the site focus.de, among others. After accessing the page, a cookie banner opened, with which the company wanted to obtain consent for the storage of cookies and the evaluation of data stored on the end devices of the users for advertising and analysis purposes.
However, the banner’s home page only gave the user the choice to fully consent to the processing of their data and browsing behavior by numerous third-party companies by clicking on “Accept” or to make a separate selection by clicking on the “Settings” button. In the latter case, a “Privacy Settings” window opened, which contained more than 140 screen pages of settings differentiated by data usage for more than 100 third-party providers. The “Accept All” and “Save Selection” buttons were clearly highlighted. The option “reject all”, on the other hand, was inconspicuously placed in pale letters in the upper right corner of the window.
Anyone who feels uneasy about the design of the cookie banner is on the right side of justice, because the Munich Regional Court agreed with the vzbv’s view that the consents obtained by the banner used are invalid. The consent mechanism violates the legal requirements, which presuppose a voluntary, informed and unambiguous expression of will for effective consent. However, the consent obtained on focus.de was not based on a voluntary decision due to the design of the cookie banner. Refusing consent would require more effort than quickly accepting data processing and would be made even more difficult by the large number of setting options on the second level of the banner. There was no objective justification for the different treatment of the options “give consent” and “refuse consent”.
The decision was based on regulations of the Telecommunications Telemedia Data Protection Act – or more precisely, the Act on Data Protection and Privacy in Telecommunications and Telemedia, which did not come into force until December 1, 2021, and of which probably at least website operators have heard so far.