Although most European countries derive their data privacy rules from the European Union, the precise implementation can vary. At one time this variation meant cookie consent rules were weaker in Germany than in some other countries. This is not the case now.
In fact, German courts are responsible for clearer and stronger rules applying across the EU. If you serve customers in Germany, here's what you need to do to comply.
- 1. The European Union's Rules on Cookies
- 1.1. The Difference Between a Regulation and a Directive
- 1.2. Key Points of the ePrivacy Directive
- 1.3. Key Points of the GDPR
- 2. How Germany's Cookie Rules Developed
- 2.1. No New Law
- 2.2. The GDPR Takes Effect
- 2.3. The Planet49 Case
- 2.4. EU-Wide Consequences
- 2.5. German Consequences
- 3. How to Comply With Germany's Cookie Rules
- 3.1. Define Your Essential Cookies
- 3.2. Identify Cookies That are Personal Data
- 3.3. Define the Purpose of the Cookies
- 3.4. Provide the Correct Information
- 3.5. Use Acceptable Forms of Consent
- 3.5.1. Clear Intention by the User
- 3.5.2. Scrolling Alone is Insufficient
- 3.5.3. Pre-ticked Checkboxes are Not Allowed
- 3.5.4. No Cookie Walls
- 4. Summary
The European Union's Rules on Cookies
One of the reasons the rules on cookie consent in Germany have been confusing in some cases is that since 2018, four different factors have influenced the overall rules:
- The EU's ePrivacy Directive
- The EU's General Data Protection Regulation (GDPR)
- The way German authorities implemented and applied the rules
- Rulings by courts that clarified the rules
The Difference Between a Regulation and a Directive
Although the ePrivacy Directive and the General Data Protection Regulation are both examples of European Union legislation, they are different types of legislation that work in different ways. In simple terms:
- A directive is a set of measures agreed by the EU. Individual countries must create or amend domestic legislation to implement these measures, though this can take some time. This process is known as transposition.
- A regulation has immediate legal effect across all European Countries and has the same legal force as a domestic law. The text of the legislation is the same in all countries, though the enforcement and guidance may vary.
Key Points of the ePrivacy Directive
The ePrivacy Directive was issued in 2002 and then updated in 2009. Its formal name is the Privacy and Electronic Communications Directive 2002/58/EC. It specifically deals with online data privacy and includes measures on cookies.
Under the ePrivacy Directive, each EU country must update its laws to make most cookies opt-in, meaning a site can't issue the cookie unless the user has clear information and consents. The main exemption is cookies that are "strictly necessary" to carry out a function or service requested by the user.
(The EU has ongoing plans to replace the ePrivacy Directive with a specific ePrivacy Regulation that updates and strengthens the rules. At the time of writing there was no sign of this happening soon.)
Key Points of the GDPR
The GDPR is a broad-ranging regulation governing data processing. Its key legal point is that processing personal data is only lawful in specific circumstances, each known as a legal basis. The two that most commonly apply to a website are:
- The user has given meaningful consent to data processing for a specific purpose.
- The website operator's legitimate interests outweigh the user's data privacy rights. This usually only applies to processing that the user would reasonably expect to happen, given the way they are using the site.
Note that although the GDPR doesn't specifically refer to cookies, they will usually come under its definition of personal data, namely information that relates to an identified or identifiable individual.
How Germany's Cookie Rules Developed
Exactly what rules apply (and how) on cookie consent in Germany has historically been a muddy issue that means website operators might well conclude they do not need to get consent. This is not the case today, however.
Here's how the situation developed.
No New Law
Unlike most countries, Germany did not create a new law to implement the ePrivacy Directive. Instead it concluded the country's existing Telemedia Act already covered the required measures, meaning the directive was already implemented.
This conclusion was controversial. Critics argued that the Telemedia Act did not specifically address cookies, and that it allowed an opt-out rather than opt-in system, contrary to the ePrivacy Directive's requirements.
The GDPR Takes Effect
After the GDPR took effect in 2018, German data protection authorities issued official guidance on data protection issues. This guidance said that, contrary to previous arguments, the ePrivacy Directive had not been implemented in Germany. Instead it said the GDPR was the only applicable law on cookies.
The Planet49 Case
Germany's court system heard a case where consumer groups alleged unlawful behavior by a website called Planet49. It used a pre-ticked checkbox for competition entrants, with the checkbox giving permission to issue cookies that collected data about the user's online activity. Users who didn't want to give permission would have to uncheck the box before confirming their entry.
The German court asked for advice from the European Court of Justice on how to apply the GDPR to the case. The European Court of Justice advised that a pre-ticked checkbox was not sufficient to ensure active consent from the user.
Without this active consent, the website did not have enough certainty about the user's intentions for the consent to be classed as meaningful. In turn this meant the legal basis on consent did not apply and the processing was unlawful.
This clarification applies across the EU and many national data protection authorities have updated their guidance appropriately.
As well as considering the role of the GDPR in the case, the German court had to decide if the ePrivacy Directive was relevant. In simple terms, it said the German government's previous statements and actions clearly showed it intended that the ePrivacy Directive's measures should apply in Germany.
Based on this logic, the German court ruled it was acceptable to now interpret the wording of the Telemedia Act in a way that achieved the measures required by the ePrivacy Directive.
How to Comply With Germany's Cookie Rules
While the legal position on cookies in Germany may appear confusing, the simplest option is to make sure both your procedures and any Privacy Policies are compliant with the GDPR.
Doing so has the following benefits:
- It avoids the risk of administrative penalties under GDPR. Although such penalties have been rare for cases involving cookies, they could involve orders to stop processing, or in serious cases, a substantial fine.
- You won't need to worry about the ePrivacy Directive as complying with the GDPR will fulfil (and usually go beyond) your obligations regarding cookies under Germany's domestic laws.
Let's go through the steps you need to take.
Define Your Essential Cookies
Correctly identifying "essential" cookies has two benefits:
- These cookies are exempt from the ePrivacy Directive and so do not need user consent.
- These cookies should satisfy the "legitimate interests" basis of the GDPR, meaning you do not need to rely on consent.
A cookie is essential in two main situations:
- It is "strictly necessary" to provide an online service request by the user. (It's not enough that the cookie is convenient or necessary for your own purposes.) The most common example is cookies used for an online virtual shopping cart. Other examples include cookies used for security measures.
Edinburgh University gives a clear explanation of a strictly necessary cookie:
Identify Cookies That are Personal Data
Any cookies that are completely anonymous could be exempt from the GDPR as they would not be classed as personal data. Don't make assumptions on this point, however. Remember that personal data means any information that relates to an identified or identifiable individual.
This means a cookie can count as personal data in two ways:
- The text of the cookie clearly contains personal data.
- The cookie is linked to a user account or other record which contains personal data. For example, a cookie might only show that customer number 82735 has visited sites about widget collecting. However, your customer database might show that customer number 82735 is Axel Dieter of Bonn. This would mean the cookie constitutes personal data.
Remember that any cookie classed as personal data will require a legal basis for processing, which is usually consent.
Define the Purpose of the Cookies
When somebody gives consent under the GDPR, it can only cover data processing for a specific purpose rather than be blanket consent. You need separate consent for each purpose of processing.
You'll need to class your cookies into categories, each covering a specific purpose. Common examples include:
- Essential cookies (needed to provide a requested service)
- Preferences/Functional (needed to provide a customized service such as localized weather forecasts)
- Statistics (used to improve the website)
- Marketing (used to deliver targeted advertising)
The Propertymark site has five categories, with a link to see a fuller explanation:
Tech Advisor uses more specific descriptions of what each type of cookie does:
Note that you can also classify cookies by technical means such as whether they are first-party (issued by you) or third-party (issued by somebody else) and whether they are persistent (remain on the computer) or session (deleted when the user signs out of their browser or shuts down their computer).
This information may be useful for the user, but by itself doesn't satisfy the need to get purpose-specific consent.
Provide the Correct Information
The GDPR says you must give people the information they need to make an informed decision about consenting to data processing. With cookies this will usually mean:
- What data the cookie collects
- How and why you will use the data
- Whether you'll pass on the data to anyone else
- Whether you'll transfer or send the data outside of the EU and, if so, how you will protect it and maintain the user's data rights
When giving information, you need to balance being specific enough that the user can make an informed choice with being brief enough that you don't overwhelm the user to the point the information stops being useful.
Depending on how much detail you need to provide, you could:
- Present the cookie information as a standalone piece of text
- Link to a specific Cookies Policy on your site
The GDPR says you must get consent from users before processing data. This processing includes issuing cookies. For this reason, many sites that rely on cookies will display a cookie banner or pop-up window before the user can access the site.
Flixbus uses a pop-up window. It's not possible to navigate to other pages until you have responded to the cookie request, either by accepting all cookies or going to the cookie settings options.
In other cases, you can make the request at the point you collect the information needed to create the cookie. For example, you might ask a user to type in their postal code to get localized movie listings and then issue a cookie so that these listings are automatically displayed next time they visit the site. You would need to give the cookie information and get the user to consent to the cookie at the same time as they submit the postal code.
Use Acceptable Forms of Consent
The GDPR says consent must be "freely given, specific, informed and unambiguous." It also says giving consent must be a "clear affirmative action."
Both the text of the GDPR and subsequent court rulings and guidance from data protection authorities have established several key restrictions on how you can collect consent for cookies.
Clear Intention by the User
The user must take an affirmative action to give consent. You can't simply offer them a way to opt out of cookies: instead they must actively confirm they consent to cookies.
Scrolling Alone is Insufficient
- By definition, the user can't have read all the relevant information before 'consenting' in this way.
- There's no way to withdraw the consent in as easy a manner as it was given.
Pre-ticked Checkboxes are Not Allowed
The Planet49 case we mentioned earlier established that a pre-ticked checkbox isn't sufficient evidence of clear consent. It leaves too much doubt because the user may have clicked a confirmation button without noticing the checkbox or realizing they were giving consent.
Instead the safest option with a checkbox is to leave it unticked and require the user to actively tick the box to indicate their consent, then click a confirmation button to confirm it.
The same principle applies to slider toggles, which must be set to "off" by default.
23andMe correctly sets its slider for optional cookies to "Opt Out" by default. It also does a good job of explaining why some cookies are required:
No Cookie Walls
The "freely given" rule for consent under the GDPR means you can't make accessing a service (including using a website) conditional on consent.
In turn you can't use a cookie wall. This is where you block somebody from accessing a site unless they consent to cookies (other than essential/strictly necessary ones).
Let's recap what you need to know about cookie rules in Germany and how to comply.
- Germany is covered by the ePrivacy Directive and the GDPR, both of which have been clarified and developed by court rulings and regulatory advice.
- A directive is a list of principles and goals that countries must achieve through domestic law. Exactly how Germany did this with the GDPR has been disputed. The latest official position is that its existing Telemedia Act should be interpreted in a way that achieves these principles and goals.
- The GDPR is a regulation, meaning it automatically has force in German law.
- Complying with the GDPR in full will normally be enough to cover all "cookie rules" in Germany.
- You need to identify any essential/strictly necessary cookies. These don't need consent as they are exempt from the ePrivacy Directive's measures and should qualify for the "legitimate purposes" basis under the GDPR.
- Most other cookies will require consent as they involve personal data processing. The only exception is cookies that neither contain information identifying an individual, nor are linked to any other records that identify (or could identify) an individual.
- You need to categorize cookies by processing purpose. You need specific consent for each purpose.
- Before asking for consent, you must tell users what data a cookie collects, how and why you'll use it, and whether you'll share it with a third party.
- You must get consent before issuing the cookie.
- The consent must involve an affirmative action that clearly indicates consent. You can't rely on opt-outs, scrolling as a form of consent or pre-ticked checkboxes.
- You can't make consent to non-essential cookies a condition of accessing the site (a setup known as a cookie wall).