I. Cookies are personal data

The General Data Protection Regulation (GDPR)[1] does not contain any explicit regulations on cookies. However, it is pointed out in the considerations that under certain circumstances online identifiers such as IP addresses and cookies can be assigned to natural persons. Cookies are therefore also considered “personal data” within the meaning of the GDPR. The concrete application of the GDPR to cookies is not always quite simple, since the legislator usually had other application areas of data collections in mind.

II. Data protection compliant use of cookies

The GDPR and the Cookie Directive[1], which will soon be replaced by the ePrivacy Regulation, oblige website operators in the EU as well as in Switzerland[2] to use cookies in compliance with data protection regulations. The official authorities, probably due to the delays and differences of opinion in the ePrivacy Regulation, have only vaguely explained how these obligations must be fulfilled when cookies are used. In the meantime, however, national data protection authorities (e.g. ICO[3], CNIL[4]) have indicated what is required when cookies are used. In addition, the European Data Protection Board (EDPB) has adapted the Cookie Policy and the Cookie Banner on its website to show what is expected.

Since personal data is also processed through the use of cookies, the website operator must guarantee the lawfulness of the processing and the clarification to the user. Today, this is usually done with so-called cookie banners, which inform users about cookies and, if necessary, obtain their consent. However, not all cookie banners meet the requirements of the applicable laws.

III. Lawfulness of the processing (Art. 6 GDPR)

According to the GDPR, the use of cookies with user-relevant data is only lawful if there is a justification according to Art. 6 GDPR. The existence of a legitimate interest or the consent of the data subject can be considered as justifications.

A. Legitimate interest of the responsible person or a third party

A legitimate interest for website operators may exist if the use of cookies is necessary for the services offered or for security reasons. In doing so, the proportionality to the interests as well as the fundamental rights and freedoms of the data subject must always be protected. Therefore, the storage of the shopping cart in online shops or the cookies for identification and security in eBanking should be covered by the legitimate interest. However, as soon as there is no longer any legitimate interest or as soon as the user’s interest predominates, consent must be obtained.

B. Consent of the data subject

To determine whether cookies used require consent or not, a distinction must be made between technically necessary and technically not necessary cookies.

  • Technically necessary cookies are those that store data that is used exclusively to provide the online service requested by the user (e.g. shopping cart function, security in online banking, storage of language settings or log-in data, etc.).
  • Technically not necessary cookies are those that are not necessary for the functionality of the website or its service. These include in particular tracking cookies, targeting cookies, analysis cookies and cookies from social media websites (e.g. Google Analytics, Facebook “Like” button, etc.).

Technically necessary cookies ensure user friendliness and the function of the website. These are generally justified by a legitimate interest or a contractual relationship (registered profile). Therefore, no consent of the user is required, i.e. they may be set from the beginning.

However, if cookies are used for marketing purposes and are therefore not technically necessary, the website operator must obtain the user’s consent beforehand.

Such consent, which is normally obtained by cookie banners, must be:

  • freely given,
  • for a specific reason,
  • by an informed consentor,
  • unambiguous (explicitly),
  • auditable (recorded)
  • and revocable at any time.

Therefore, an opt-in solution is required for cookies that are not technically necessary. Cookies may not be set from the beginning, but only after the user has given his explicit and active consent (Hard Opt-In). A so-called soft opt-in solution, in which the user only gives his consent by continuing to use the website, is not sufficient; active action must be taken and the possibility to revoke.

  • Opt-in: Consent to the use of cookies before such cookies are set, but can not be directly rejected
  • Soft Opt-in: Assertion in the cookie banner that tacit consent is given through further use (e.g. scrolling) of the website.
  • Hard Opt-in: The user has the possibility to actively decide for or against the use of cookies when visiting the website for the first time.
  • Opt-out: The consent to the use of cookies can be revoked.

It should be noted that there is an increasing consensus that the use of so-called cookie walls is not compatible with the GDPR. A cookie wall confronts the user with the decision either to accept the cookies or otherwise not to be able to use the website. Such consent is not given voluntarily or is linked to the use of the service and therefore cookie walls should be prohibited (so-called prohibition of linking).

VI. Information obligation (Art. 13 GDPR)

For all cookies, the obligation to inform the user according to Art. 13 GDPR must always be fulfilled. This means that when cookies are used for the first time and personal data is thus collected, the user must be informed through a cookie or privacy policy on the website.

  • Name and contact details of the person responsible (if applicable, of the data protection officer)
  • Purpose and legal basis (if applicable, legitimate interests) of the cookies used
  • possible recipients (third parties) of the cookies/data
  • if applicable, Intention of the data controller to transfer data to a third country or int. organization
  • Duration of storage of the cookies/data
  • Reference of the rights of the data subject
  • Right of withdrawal of consent

V. Personal data through Social-Plugins?

With social plugins, such as the “Like”-button on Facebook, personal data such as the user’s IP address is also processed and even forwarded to third parties. Simply calling up such a website, which contains a social plug-in, is usually enough for data to be passed on to third parties.

In addition, cookies can be set by these plugins and can be read by the providers. The information can be assigned to a profile in order to create user profiles and present suitable advertisements.

This applies for example to plugins from Google, Facebook, LinkedIn, Twitter, Pinterest, Youtube etc.

In its decision of 29 July 2019, the European Court of Justice also confirmed that the operator of a website with social plugins must obtain consent in the procedure described above and is obliged to provide information on the processing of personal data.

VI. Conclusion

In a first step, the exact clarification of the cookies or social plugins used is necessary for a legal implementation. Is there a legitimate interest or does consent have to be obtained from the user? In any case, information in the form of a cookie declaration is necessary on the website, which can also be part of the data protection declaration. In this declaration, the intended use, the data categories, the data subject, etc. must be described in detail.

If technically not necessary cookies or social plugins are used consent should be given by clicking (e.g. accept, agree). Only after this consent, cookies are allowed to be set and plugins may transfer data to third parties. In addition, the user must be given the opportunity to refuse consent and revoke it at any time. This can be done, for example, by a button or checkbox in the cookie banner, in the privacy policy or in the footer.

In order to guarantee the use of cookies and social plugins in compliance with data protection regulations, please contact us. We will be happy to find a practicable solution for every customer.