The ECJ has just decided on cookies in the procedure around Planet49(see this article). Because of this procedure and my mail, I have received some inquiries from clients and was of course able to advise them. However, since a question arose relatively often, I would like to answer it briefly in the context of this article.
It is a question of whether a cookie banner must also be displayed on the site when the pure use of technical cookies, such as the PHP session cookie. And the answer is “No, you probably don’t have to, but…”.
Although some points have currently been clarified by the ECJ, such as the connection of sweepstakes and the setting of cookies, some questions remain unresolved. The ECJ did not have to resolve many questions, as they were not part of the referral to the Court of Justice. It is clear, however, that the German special route via the TMG is now history and therefore the mere clarification about non-technical cookies is not enough. Qualified consent to the setting of cookies for non-technical cookies is required. This has been the case throughout Europe for a long time and now the rules of Article 5(3) are probably also for “Germans” in principle. 3 of the EU Directive 2002/58/EC, even if, purely formally, it is only a directive and not a regulation.
After all, germany would have to ensure that the use of electronic communications networks for the storage of information or access to information stored in the terminal of a subscriber or user is permitted only on condition that the participant or user concerned is Directive 95/46/EC provides clear and comprehensive information, in particular on the purposes of the processing, and the right to refuse such processing is made available by the controller.
According to current legal opinion, this probably does not apply to technical cookies, because the upper rule is to be technical storage or access where the sole purpose is to carry out or facilitate the transmission of a message via an electronic communications network or, where it is essential to do so, is necessary to provide a to provide participants or users with the information society’s services that are expressly requested.
This therefore means that there is no need to inform about the setting of technical cookies. For data protection reasons, however, it is of course necessary to inform about the storage in the data protection declaration, because – as nonsensical as I personally think – the general legal opinion is that a simple IP address is also personal data and also in the case of Technical cookies are stored in the cookies and consequently also in the databases of the websites or in the cache files of PHP, WordPress etc. The cookie banner can then be saved, however, of course a consent banner, which are usually only possible via paid plugins.
but. The krux may be in the detail, because in principle it is defined what a cookie banner is, but the interpretation of the standard can of course cause demarcation difficulties. Is a cookie that automatically remembers languages on a website really COMPELLING for the operation of a website? Is a cookie that stores search preferences really MANDATORY? Or a cookie that simplifies data entry when shopping in a shop? This is difficult to say and could lead to warnings and claims for damages if courts eventually see it differently. There are still many details to be decided in doubt. The nerve factor is also not to be neglected, possibly to risk a warning, because a warning association notices that a website sets cookies (the browser shows this), but no cookie banners are present. Even if you end up winning a court case, you have to wonder if it was worth the time.
An alternative would therefore be the following clear indication:
Only technical cookies are used on our site. No personal data will be processed. Since the setting of these cookies is technically mandatory for the provision of the proper presentation of this website, explicit consent on your part is not required. The details of the technical cookies can be found in our data protection policy/cookie guideline.
This should certainly deter potential warnings.