Data protection consent with cookie alternatives?

Last year, the ECJ ruled that numerous types of cookies must be expressly authorized by the user before they can be stored on the user’s PC. Does this also apply to alternatives?

Key Facts

ECJ ruled that cookies may only be stored with explicit consent.
Alternatives such as device fingerprinting use a variety of data for user recognition.
Techniques such as device fingerprinting may be legally problematic without the user's consent.
Article 5 III of EU Directive 2009/136/EC requires user information and consent.
These technologies may not be subject to the same restrictions as cookies.
Providers of online stores should pay attention to device fingerprinting in order to avoid legal risks.
Technology should only be used with clear information and consent in the logged-in area.

Officially, the European Court of Justice ruled last year only on the usual cookies (see, among others, my post here). For a long time now, however, advertising network providers and other service providers in particular have been working on technologies that make it unnecessary to store text files on users’ computers and read them out again later. Rather, so-called “device fingerprinting” takes advantage of the fact that much more data can be read when visiting a website than just the user’s IP address. If you combine things like screen resolution, time of visit, type and manner of surfing behavior and many other aspects statistically with each other, a user can be recognized very reliably without having to store things like name or IP address. This even works across devices in some cases.

So can you use this technology without any problems, e.g. to create usage statistics or to control your online store, since no cookies in the classical sense are set?

This would probably be problematic because Article 5 III of EU Directive 2002/58/EC as amended by EU Directive 2009/136/EC reads as follows.

Member States shall ensure that the storage of information or access to information already stored in the terminal equipment of a subscriber or user is only allowed if the subscriber or user concerned has given his or her consent on the basis of clear and comprehensive information provided to him or her in accordance with Directive 95/46/EC, inter alia, on the purposes of the processing. This shall not prevent technical storage or access if the sole purpose is to carry out the transmission of a communication over an electronic communications network or if this is strictly necessary in order for the provider of an information society service expressly requested by the subscriber or user to be able to provide that service.

The data collected in the context of electronic fingerprinting is already available on the user’s PC or device, or can be read from it. The standard therefore probably also applies to these techniques.

Admittedly, there is no specific ruling on this yet. However, using it without first informing the user and obtaining his or her consent would be a major legal risk.

This is especially true because these techniques are not only even less recognizable by the user, but in many cases are not even subject to the restrictions of regular cookies. Unlike text cookies, for example, many of these techniques can be used across pages. A user on page A can therefore be recognized on page B and, for example, be presented with corresponding offers or even have prices flexibly adjusted. The encroachment on the user’s rights is thus even greater.

Providers of online stores should therefore pay particular attention. Unlike cookies, the providers of online shop software or even plugins do not point out the use of “device fingerprinting”, often for the reason that the developers themselves lack awareness of the problem. Even the common plugins that display cookie banners and are supposed to comply with the ECJ ruling, in my opinion, do not yet know any options to inform the user accordingly or to dynamically switch such functions on or off. It can therefore quickly happen that you use a plugin without much awareness of wrongdoing and, without realizing it, find yourself in a warning trap.

This technology can probably only be used in a logged-in area and with the clear explanation and consent of the user. Of course, this should only be done with the help of legal advice.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.