The European Court of Justice decided on 01.10.2019 at 11:30 a.m. which obligations should apply to Internet pages when handling cookies. This vote was triggered by an online lottery from Germany.
Generally speaking, cookies are a useful technique, but they must be treated with caution, as we reported in 2016.
As soon as cookies store personal data, e.g. name, IP address or email address, data protection comes into play. Since 25 May 2018, the DSGVO, which states in Article 4 that online identifiers that can be used to identify individuals must also be regarded as personal data and protected accordingly, has been in effect since then.
Agreement to set cookies
The lottery leading to the current procedure took place in 2013. At that time Planet49 GmbH organized an online competition. On this website a box was placed, which asks the user if he agrees to cookies being set. The difference to other websites was that this box was set from the beginning. This means that the user had to click on the box to oppose the setting of cookies.
The German Federal Association of Consumer Organisations (VZBV) filed a complaint against this action and demanded that Planet49 cease and desist. So far, no judgement has been reached on this action, and the European Court of Justice is accordingly considering whether Planet49 GmbH’s action complies with the DSGVO.
The ruling of the ECJ
The ruling of the ECJ can be interpreted as a victory for the Federal Association of Consumer Centres (VZBV). From now on, cookies may not be set without the visitor’s consent. The Press release of the European Court of Justice states literally: “With today’s ruling, the Court of Justice decides that the consent required for the storage and retrieval of cookies on the visitor’s device of a website is not effectively given by a preset checkbox, which the user must deselect to refuse his consent.
- what information is stored with this cookie (e.g. search terms on the website)
- for what purpose this data is processed (e.g. analysis of visitor behaviour)
- whether third parties have access to this data (third party cookies)
- a link to the privacy statement must be listed
In addition to these points, the visitor must have a choice as to whether he or she agrees with the cookies mentioned. In addition, the visitor must clearly agree that if the visitor does nothing, no cookies will be set.
Sevencast – der IT-Security Podcast
Von unterwegs, im Büro oder zu Hause hören und auf dem aktuellen Stand bleiben!