Are common cookie banners still state-of-the-art? Or do websites have to remain black before the user has given his/her consent? Which liability risks exist in the event of a breach of the relevant data protection regulations? And who is affected by the ECJ's recent ruling?

What are cookies and what types of cookies exist? A brief overview

The ECJ adopts the definition of the German Federal Court of Justice, that cookies as text files which the provider of a website stores on the website user's computer. Generally, the website provider can access those cookies again when the user visits the website on subsequent occasions, in order to facilitate navigation on the internet or transactions, or to access information about user behaviour.

Cookies can be used to track which websites the user has visited. In addition, information about email addresses and the name of the user can also be included and transmitted. Hence, the use of cookies makes it possible to determine surfing habits, which can be evaluated automatically.

Different types of cookies can be identified, e.g. by their functions and possible uses. The first category are the so-called session cookies. They are only stored on the user's computer for the duration of a user session and are intended to simplify the use of the site. A common example is that a user does not have to constantly retype his/ her password on a password-protected page. After the end of the respective session, the session cookies are automatically deleted, which is why they are often referred to as "non-persistent cookies".

The second category are the so-called tracking cookies. They are a marketing tool and collect data about the user across sessions and are stored permanently on the user's computer ("persistent cookies"). These tracking cookies can be placed on the user's computer by the website operator, in which case they are called First-Party Cookies. Or, such cookies can be stored on the user's computer by third parties (Third-Party Cookies), e. g. via a displayed advertising banner. This almost always happens unnoticed.

Stricter requirements for the use of cookies according to the current legal situation

Cookies always include a certain reference to the respective user, thus the stored information has to be classified as personal data. Both the Directive On Privacy And Electronic Communications (2002/58/EC in its current version) and the General Data Protection Regulation (EU 2016/679) are therefore applicable.

In its recent decision on this issue, the ECJ has now ruled that users must actively consent to the storage and reactivation of cookies on their terminal equipment. Mere passive behaviour is not (or no longer) sufficient. Accordingly, it is not possible to store information on the user's computer without the user's explicit consent. Hence, the simple reference regarding the use of cookies in a corresponding banner or even a preselected checkbox are no longer eligible. Nor can consent be given implicitly (e.g. through the use of the website and/or services), but must be given expressly for the specific purpose.

These requirements concern not only persistent cookies but also session cookies. The decision of the ECJ constitutes a significant tightening of the requirements so far imposed by German law. However, even under the laws of other EU member states, implied consent of the user to the use of cookies will no longer be acceptable.

Other effects of the ECJ's decision on the operation of websites

A thorough reading of the reasons for the ECJ's decision raises the question whether the consequences of the decision have implications that go beyond the mere use of cookies. The ECJ also clarified that the requirement of "active consent" under the Directive On Privacy And Electronic Communications does not only apply to personal data. The user should be protected against any violation of his or her privacy. Hence it does not matter whether personal or other data is stored on the user's terminal device.

This raises the question of which (intermediate) data storage, e.g. in the user's main memory, is covered by the active consent requirement. This requires a precise legal analysis of the data processing operations in order to exclude liability risks.

What will change once the ePrivacy Regulation enters into force?

The so-called ePrivacy Regulation was originally intended to enter into force together with the General Data Protection Regulation. As things stand, however, it is still expected to be adopted in 2020 to replace the Directive On Privacy And Electronic Communications.

The regulation is specifically intended to regulate the relationship between digital operators and users and to create special conditions for communication. This is partly accompanied by a tightening of the corresponding requirements. However, it is not yet possible to make a precise prognosis about the final scope of the regulation. Nevertheless, it can be expected that some changes will be made before the regulation is adopted in order to meet the practical requirements of the markets concerned. Given that the regulation does not require a further implementation period, and thus applies immediately, companies should follow developments closely.

What are the liability risks?

A breach of the data protection provisions of EU law can have far-reaching financial consequences. For instance, a breach of the consent requirement under the General Data Protection Regulation can result in fines of EUR 20 million or up to 4% of the total annual worldwide turnover of a company in the previous financial year whichever is the higher amount. Against this background, it is particularly useful for companies to keep a close eye on their own practice and to keep it legally compliant, in particular with the ECJ's recent ruling.