blog single

to blog archive

01.10.2019 - New ECJ ruling on cookies

new eugh ruling on cookies - active consent required

UPDATE: New ruling on cookies - active consent is mandatory

The ECJ has been dealing with consent to cookies for some time now. There was already a ruling on the consent requirement in the summer. At that time, the main issue was that data was passed on to Facebook without active consent.

Since 01.10.2019 there is now another judgment. The ruling is against Planet49 GmbH, which only provided a cookie banner with an OK button. According to the new ruling, users must actively consent to the collection of cookies. This means that cookie banners with an OK button must be replaced with consent forms. It is now clear that users must be given the option to actively consent to the following cookies:

  • Marketing cookies
  • Tracking cookies
  • Retargeting cookies
  • and similar cookies

Users must be fully informed about cookies in advance and give their consent. Only then may website operators collect cookies. Technical cookies that are necessary for a website to function are exempt from the cookie consent requirement.

Website operators should take action now at the latest and replace a simple cookie banner with an OK button with a consent form. Otherwise there will be problems sooner or later. But what are the arguments against the cookie banner with OK button?

  • It violates several provisions of the GDPR.
  • The purposes of data processing are not listed.
  • Users cannot actively consent.

With such a banner, users are forced to opt-in, they have no other option to choose. This ruling has now made it clear that this approach is not legally compliant and that cookie banners with opt-in are mandatory. It is now important to rely on proper and reliable GDPR-compliant consent management. There is a plugin for WordPress that is GDPR-compliant and meets the requirements.

would you like to find out more about this topic?

Below you will find all information on the ECJ ruling of 29.07.2019 or you can read the following articles:

How great is my risk?

29.07.2019, eugh judgment cookie-opt-in required, joint liability for like-buttons

At the end of July 2019, the ECJ issued a landmark ruling on the subject of the cookie opt-in obligation. The underlying case involved the company Fashion ID, which had integrated social media buttons on its website. Fashion ID was warned because data was transmitted to Facebook without consent due to the Facebook Like button. But what exactly does the ruling say and what does it mean for website operators? We provide all the important information here.

1. new judgment on tracking cookies?

The ECJ has issued a new ruling on cookies and the treatment of Facebook Like buttons. In general, the legal background continues to be difficult. There are also No valid ePrivacy Regulation yetwhich should contain corresponding provisions on the protection of personal data with regard to electronic communication. At present, website operators can only use current rulings as a guide. The ECJ ruling sets the direction with regard to the use of cookies. The short version of the ruling states:

  • No real consent available - tracking cookies are not permitted
  • Website operators are jointly responsible for the integration of Facebook Like buttons
  • Tracking cookies are a duty to warn
  • Violations can be warned

The ruling has caused a lot of discussion. Anyone operating a website no longer has to ask themselves whether a cookie banner must be used. Instead, the question is what the banner that complies with all legal requirements under data protection law should look like. For website owners, this means correctly fulfilling the requirements of the GDPR.

2 What does the ruling mean for website operators?

The European Court of Justice has ruled on a total of four questions.

  • It was determined that tracking and marketing cookies require genuine user consent. According to the ruling, a simple cookie banner stating that cookies are collected is no longer sufficient.
  • In addition, website operators who use the Facebook button will be jointly responsible with Facebook for data protection violations.
  • If data is transmitted to Facebook via the Like button without being asked, this constitutes a breach of data protection law.
  • It was also explained that competition associations can warn website operators for a fee if they have embedded Facebook "Like" buttons on their website without consent.

3. who should deal with the ECJ ruling?

All those website operators who generally do not use tracking cookies need not worry about the ruling. The ruling is important for all website operators who:

  • Use cookies for marketing and tracking on your website
  • Use social media buttons on their websites
  • and generally for all web designers and web agencies that create websites

For this group of people, it is unavoidable to deal intensively with the ECJ ruling on the cookie opt-in obligation and the use of Facebook & Co buttons. Web projects must be implemented in accordance with the requirements in order to avoid cost-intensive warnings.

4. are all cookies affected by the obligation?

Websites work with different types of cookies. However, not all cookies are affected by this ruling. Cookies that are technically necessary for the operation of the website are excluded. In addition, there are cookies that generally do not collect any personal data. How these are to be classified has not yet been conclusively clarified. The situation is different for cookies for marketing and tracking purposes. If necessary, these can be warned if the current requirements are not implemented.

**Info:

Before this ruling, the online marketing industry was of the opinion that tracking cookies did not require active consent. The ECJ clearly has a different view here and makes consent mandatory with this ruling. **

Whether consent must be obtained depends on the service and the data that is to be collected and processed. There are still many inconsistencies here, especially with regard to the cookies that Google Analytics automatically sets. Some lawyers believe that an opt-in must also be obtained in this regard. Other specialists take a different view. The situation will certainly be clarified in future legal disputes, but given the current trend, the website operator will probably lose out.

5. what needs to be changed on the website now?

Website owners must now first check which cookies are currently in use and how this is indicated on their own site. If attention is only drawn to cookies with a banner without providing a consent function, this must be changed. Users of the website must be given the opportunity to give their consent. Data transfer is only permitted once consent has been given. There are consent tools and opt-in banners that offer a real consent option. Such tools replace simple notice banners.

6. what is the difference between cookie banners and consent tools?

A cookie banner is a cookie notice. It merely informs the user that a website uses cookies. Such simple notices do not meet the requirements of the new ECJ ruling. If pure information banners are used, the data transfer is not interrupted until the user gives their consent. Therefore, the data protection requirements are not met. Consent tools, on the other hand, offer the user the option of giving consent or blocking cookies. Websites with a consent option or the option to reject cookies are legally on the safe side as long as they do not transfer any data before consent is given.

7 What do agencies and web designers need to be aware of?

The ruling is not only highly relevant for website operators. Agencies and web designers who manage or create website projects for their customers are also liable for infringements. They have the task of creating their customers' websites in compliance with the law. This also includes the implementation of cookie opt-in requirements and all other data protection measures. According to this ruling, the task of agencies and web designers is to check their clients' projects for cookies and social media buttons and make the necessary changes.

8. has the judgment of the ECJ already been enforced?

Although the ECJ has already spoken, the case will be returned to the Düsseldorf Higher Regional Court. In all probability, however, nothing will change. The Higher Regional Court will certainly adhere to the guidelines of the European Court of Justice. Once this has happened, at the latest, a consent tool should be integrated on your own website for the purpose of consent.

9. website operators beware - responsible for Like button

The hearing before the ECJ was actually about the "Like" button that many website operators embed on their pages. It was decided that those operators who embed the Like button are also jointly responsible under the GDPR. In the same breath, it was determined that consent and full data protection information must be provided if the "Like" button is to be used. This point also applies to other plugins and tracking tools. Anyone who violates these requirements can expect a warning. According to the ECJ, fan page operators are also jointly responsible for the processing of user data, although the operators usually only use data for anonymous statistics. Facebook, on the other hand, processes personal data. Fanpage owners are fully liable for this if they do not obtain appropriate consent. However, there are restrictions with regard to joint responsibility. These include

  • Users of the "Like" button are only responsible for the data collection and transmission phase (which is why consent is important)
  • The website operator is not responsible for the subsequent processing of data by Facebook (only Facebook)

In the event of a fine, this means that website operators are initially liable to the full extent. Website operators can then claim back the share of Facebook's liability that is attributable to the company. Ultimately, however, website operators are fully liable and must hope that the provider Facebook will reimburse the costs.

Incidentally, Facebook must offer the website operator an agreement on joint responsibility if a Like button is to be used. If there is no agreement, such a social plugin would even be illegal. In most cases, there is no agreement. This would mean that the various social media plugins would be illegal. This applies not only to Facebook, but also to Instagram, Twitter and co. Anyone who does not benefit from the social media buttons simply does not use them. This puts website operators on the safe side.

How great is my risk?

10. borlabs cookie as (one) opt-in solution for WP pages

WordPress users can look forward to the implementation of the GDPR and the ePrivacy Regulation. There are useful plugins that support the implementation. One of our favorite plugins is the Borlabs Cookie Plugin. The application allows you to control the following cookies:

  • First-party cookies
  • Third-party cookies

A cookie banner gives website users the option of agreeing or rejecting the collection of cookies. Website operators can use the dashboard to track how often a user has consented. The plugin offers many different options in terms of design and settings for content blockers etc. The tool is very useful and makes everyday work much easier, especially for agencies. for more information, contact the manufacturer directly: https://borlabs.io/borlabs-cookie/

11 Conclusion on the cookie opt-in judgment

To really be on the safe side legally, website operators should decide to provide a consent tool with a consent function. This gives users the option of generally or individually accepting or rejecting cookies. It should be noted that data is only really transferred after consent has been given.

more on the topic legal