I. Cookies are personal data
The General Data Protection Regulation (GDPR) does not contain any explicit regulations on cookies. However, it is pointed out in the considerations that under certain circumstances online identifiers such as IP addresses and cookies can be assigned to natural persons. Cookies are therefore also considered “personal data” within the meaning of the GDPR. The concrete application of the GDPR to cookies is not always quite simple, since the legislator usually had other application areas of data collections in mind.
III. Lawfulness of the processing (Art. 6 GDPR)
A. Legitimate interest of the responsible person or a third party
B. Consent of the data subject
To determine whether cookies used require consent or not, a distinction must be made between technically necessary and technically not necessary cookies.
- Technically necessary cookies are those that store data that is used exclusively to provide the online service requested by the user (e.g. shopping cart function, security in online banking, storage of language settings or log-in data, etc.).
- Technically not necessary cookies are those that are not necessary for the functionality of the website or its service. These include in particular tracking cookies, targeting cookies, analysis cookies and cookies from social media websites (e.g. Google Analytics, Facebook “Like” button, etc.).
Technically necessary cookies ensure user friendliness and the function of the website. These are generally justified by a legitimate interest or a contractual relationship (registered profile). Therefore, no consent of the user is required, i.e. they may be set from the beginning.
However, if cookies are used for marketing purposes and are therefore not technically necessary, the website operator must obtain the user’s consent beforehand.
Such consent, which is normally obtained by cookie banners, must be:
- freely given,
- for a specific reason,
- by an informed consentor,
- unambiguous (explicitly),
- auditable (recorded)
- and revocable at any time.
Therefore, an opt-in solution is required for cookies that are not technically necessary. Cookies may not be set from the beginning, but only after the user has given his explicit and active consent (Hard Opt-In). A so-called soft opt-in solution, in which the user only gives his consent by continuing to use the website, is not sufficient; active action must be taken and the possibility to revoke.
- Soft Opt-in: Assertion in the cookie banner that tacit consent is given through further use (e.g. scrolling) of the website.
It should be noted that there is an increasing consensus that the use of so-called cookie walls is not compatible with the GDPR. A cookie wall confronts the user with the decision either to accept the cookies or otherwise not to be able to use the website. Such consent is not given voluntarily or is linked to the use of the service and therefore cookie walls should be prohibited (so-called prohibition of linking).
VI. Information obligation (Art. 13 GDPR)
- Name and contact details of the person responsible (if applicable, of the data protection officer)
- Purpose and legal basis (if applicable, legitimate interests) of the cookies used
- possible recipients (third parties) of the cookies/data
- if applicable, Intention of the data controller to transfer data to a third country or int. organization
- Duration of storage of the cookies/data
- Reference of the rights of the data subject
- Right of withdrawal of consent
V. Personal data through Social-Plugins?
With social plugins, such as the “Like”-button on Facebook, personal data such as the user’s IP address is also processed and even forwarded to third parties. Simply calling up such a website, which contains a social plug-in, is usually enough for data to be passed on to third parties.
In addition, cookies can be set by these plugins and can be read by the providers. The information can be assigned to a profile in order to create user profiles and present suitable advertisements.
This applies for example to plugins from Google, Facebook, LinkedIn, Twitter, Pinterest, Youtube etc.
In its decision of 29 July 2019, the European Court of Justice also confirmed that the operator of a website with social plugins must obtain consent in the procedure described above and is obliged to provide information on the processing of personal data.
In a first step, the exact clarification of the cookies or social plugins used is necessary for a legal implementation. Is there a legitimate interest or does consent have to be obtained from the user? In any case, information in the form of a cookie declaration is necessary on the website, which can also be part of the data protection declaration. In this declaration, the intended use, the data categories, the data subject, etc. must be described in detail.