There could soon be a ruling by the European Court of Justice that could startle German website providers who have so far complied with Section 15 III of the German Telemedia Act (TMG). § 15 III TMG regulates:
The service provider may create usage profiles using pseudonyms for the purposes of advertising, market research or for the needs-based design of the telemedia, unless the user objects to this. The service provider shall inform the user of his right to object within the scope of the notification pursuant to Section 13 para. 1 to be pointed out. These usage profiles may not be merged with data about the bearer of the pseudonym.
However, there is now a consensus among legal experts that § 15 III is at least problematic. Actually, it does not comply with the EU ePrivacy Directive. Currently, however, the issue is controversial. Some lawyers are of the opinion that the TMA would not have continued to apply alongside the GDPR, as the opt-out solution and the opt-in solution are not compatible with each other.
The EU Advocate General has now largely agreed with this and, following a complaint by the Federation of German Consumer Organizations (VZBV) against the advertising service provider Planet49, has ruled that the German solution violates EU law. Thus, it follows from his closing argument that, when applying Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, it would be essentially irrelevant whether or not cookies contain personal data.
In the vast majority of cases, the ECJ agrees with the Advocate General. Despite the fact that the Federal Court of Justice has the final say, this should mean that in future it will hardly be possible to visit a website without first confirming cookie consent. What is already extremely annoying will probably be the rule in the future. Unless the website operator wants to expose himself to the danger of a warning.
It is doubtful whether the upcoming ePrivacy Regulation will change this. This could only happen if the annoyance factor of having to confirm before entering most sites that are built on WordPress, for example, eventually becomes too much even for politicians. It is not possible to predict whether and when the ePrivacy Regulation, which would then immediately become applicable law, will come into force.