Image: Unsplash
Summary:
Website operators are not permitted to use cookies and similar tracking technologies for analysis and marketing purposes without the informed consent of users, if this involves sharing personal data with third parties and enables the tracking of users while they surf the web. Cookie banners have to be designed in such a way that, on the first layer, both declining and consenting are presented as equivalent options beside each other. When websites use third-party plug-ins, such as Google Analytics and the Facebook pixel, this usually results in joint controllership under Art. 26 GDPR, which is why information on “the essence of the arrangement” between the joint controllers, as required under Art. 26(2) Sentence 2 GDPR, must be made available to users.
This is what the LG Rostock (Rostock Regional Court) decided in its judgment of 15 September 2020, ref. 3 O 762/19 (not legally binding). The Federation of German Consumer Organisations (vzbv) had filed a complaint against “advocado”, an online service that helps people find a lawyer.
With its lawsuit, the consumer protection group challenged misleading interfaces – known as dark patterns – used in the cookie banners of consent management platforms.
Website operators use cookie banners as a means of obtaining user consent for certain, mostly commercial, data processing.
Ever since the ECJ’s decision in the Planet49 case (C-673/17) in October 2019, it has been clear that website operators require the express, informed consent of users before using cookies and similar technologies that serve to track users and that rely on device information – such as IP addresses, MAC addresses, mobile identifiers, cookie IDs, advertising IDs and hardware information. This applies regardless of whether the information is personal, because the ePrivacy Directive, which applies here, protects the integrity of the user’s device and thus their privacy, regardless of whether the data processed is personal in nature or not.
The cookie banner that initially appeared when visiting the advocado.de website looked as follows:
Fig. 1: Preferences, statistics, marketing all pre-activated
The four checkboxes at the bottom were pre-selected. Users were expected to consent to the use of cookies by selecting “OK”.
The defendant changed the cookie banner in the course of the proceedings. It then looked as follows:
Fig. 2: “Accept only necessary cookies” (grey button), “Accept cookies” (green button),
“Details” (drop-down menu)
Next to the option to view more details, it was a bright green “Allow cookies” button that first caught the attention of visitors. Next to this was a button with a grey background labelled “Accept only necessary cookies”.
The core principles of the court’s decision at a glance:
1. Consent is required when using tracking technologies for analysis and marketing purposes
In telecommunications and electronic media, the use of user-tracking technologies that transmit a user’s personal data to third parties for analysis and marketing purposes requires that user’s informed and freely given consent.
The court found that the way the cookie banner was designed did not meet the relevant requirements to ensure that any consent granted by users would be unambiguous, freely given, informed, and therefore effective under Art. 4 No. 11 and Art. 7 GDPR.
The cookie banner shown in the first image already fails when it comes to an “unambiguous indication of the data subject’s wishes”, because a preset selection of data processing (requiring the user to opt out if they wish) is not an effective form of consent (i.e. requiring the user to opt in); the ECJ has already made this unequivocally clear both with Planet 49 (C-673/17) and Orange Romania (C-61/19).
But the second cookie banner design (pictured) was also deemed insufficient, because
“Effective consent is thus also not possible with the cookie banner now used. This is because here, too, all cookies are preselected and are ‘activated’ by clicking on the green ‘Allow cookies’ button.”
[…]
“It is true that the consumer has the option to view details and to deselect individual cookies. In reality, however, the average consumer will avoid going to the trouble of doing so, and will instead press the button without first reading the details. But this means that the consumer does not know the consequences of their declaration.
The fact that the cookie banner now in use also gives the user the option of restricting their consent to technically necessary cookies, by letting them select ‘Accept only necessary cookies’, does not change this assessment. In this respect, it should be noted that this button is not even recognisable as a clickable button.
What is more, it also fades into the background next to the ‘Allow cookies’ button, which is green and therefore appears to be preset. Many consumers will therefore not normally perceive this option as an equivalent consent option. The introductory text does not change this, as it already fails to explain which cookies are preset in which way, and thus which button ‘activates’ which cookies.”
The above statements of the court are highly significant for how cookie banners are designed. Cookie banners that fail to give equal prominence to the options of accepting and declining are fundamentally technically unsuitable from a legal perspective, let alone as a basis for informed consent.
2. Burden of proof for the data protection-compliant design of a website and its third-party plug-ins lies with the website operator
The defendant argued that Google Analytics, in particular, forwarded the personal IP addresses of users to the third-party provider. With respect to all other tools, however, including the Facebook pixel it used, it merely flatly denied the occurrence of any cross-website data transmission.
From a procedural perspective, the question arises as to who bears the burden of proof in such cases. The court’s answer is clear:
“That is insufficient here, as it is for the defendant to prove that the design of the website complies with data protection law, as follows from Art. 5(2) and Art. 24(1) GDPR.”
“Since the tracking technologies specifically named by the plaintiff […] are not only capable in principle, but are also regularly used precisely to collect personal data and transmit it to third-party providers, the defendant would have to specifically state and demonstrate that the cookies mentioned do not transmit any personal data to other websites. It has not met that burden of proof.”
“Moreover, in the description of the cookies themselves in its privacy policy, the defendant has described their functioning to the effect that they serve to track the user across multiple websites and also to identify the user across visits and devices.”
This statement couldn’t be clearer. A website operator cannot hide behind the lack of transparency of the technologies it uses and flatly deny the relevance of this under data protection law.
3. Third-party cookies and joint controllership: Duty to inform about joint controllership agreements
When third-party tracking technologies are involved, information must be made available to users about the essence of the agreement between joint controllers in accordance with Art. 26(2) Sentence 2 GDPR.
The court found:
“Contrary to the defendant’s view, this is a case of joint controllership for a data processing operation within the meaning of Art. 26 GDPR, and not of processing carried out on behalf of a controller pursuant to Art. 28 GDPR.”
“[…] This is because Google does not process the data for the sole purpose of use by the website operator. Rather, Google, like other third-party providers, expressly reserves the right to process for its own purposes as well.”
Since by integrating third-party cookies it transmitted personal data to third-party providers, and since those third-party providers (also) processed this data for their own purposes – as was the case, for example, with integrating the Google Analytics cookie – the defendant was found to have breached its obligation to provide information about the essence of the joint controllership agreement.
