Cookies, Cookie Banner and Consent Tool: Germany DSK Guidelines

On 28 May 2020, the German Federal Court of Justice (BGH) ruled that an opt-out for cookies settings is invalid under German law under Section 15(3) of the German Telemedia Act (TMG). The ruling was a result of a misinterpretation of Section 15 that the TMG allows the use of cookies under “legitimate interest.” That is, website operators wrongly interpreted that the website can use cookies without the need for opt-in. The users can opt out later if they want. However, the court clarified that the use of all non-essential cookies requires explicit cookie consent or opt-in from the website users.

This decision is in line with the standards proposed by the German association of Data Protection Authorities (DSK), the European Data Protection Board (EDPB) and the European Court of Justice (ECJ). It is worth mentioning that the European Union’s Court of Justice (CJEU) judgment on the Planet49 case influenced the BGH ruling. The CJEU ruled that consent obtained through a pre-ticked checkbox is not valid. That is, a pre-enabled option for consent for cookies is an unlawful practice.

The BGH ruling reaffirms the Germany DSK cookie guidelines (available in German)published in 2019. This article will discuss the important takeaways from the guidelines for cookies and what steps you need to take to comply with them.

What is cookie consent?

The GDPR allows data collection and use for purposes that have one of the six legal bases:

Explicit consent of users
Legal obligation for data collection and use
Contractual obligation between the data controller and the user
The legitimate interest of the data controller
For the vital interest of the user or another user
For carrying out tasks in the public interest

In the case of using cookies to collect data, the most reliable and applicable basis is getting user consent.

Art 4[11] of GDPR (DSGVO) defines consent as:

“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

That is, consent is only valid if it is freely given, specific, informed, and unambiguous. Let us look at what each of them means concerning cookies.

Freely given – the users must give consent to cookies of their free will rather than be compelled to.
Specific – Each cookie operation or function must have a separate consent choice rather than a single common option. The users must have a choice to enable each of them.
Informed – you must provide adequate information about cookies and their purpose for the users to make an informed decision on cookie consent.
Unambiguous: consent must be expressed via an explicit action, such as clicking a button. Implicit consent such as not responding to the consent request or browsing through the page is not valid.

Other than these, the cookie consent must also be:

Revocable – the users must be able to easily withdraw their cookie consent at any time.
Demonstrable – the website operator must be able to provide proof of cookie consent received if requested by the users or the regulatory authority.

German DSK guidelines for cookies, cookie banner, and consent tool

Here are the main takeaways related to cookie consent from the DSK guidelines

Do not use store cookies on the users’ device without getting their explicit consent unless they are strictly necessary cookies.
Using Google Analytics cookies does not constitute “legitimate interest” and it requires the users’ explicit consent (DSK opinion on Google Analytics).
The cookie consent banner must provide an overview of all cookie operations that require consent, with adequate information about their purpose and source.
These operations can be activated or enabled via a selection menu. The operation must not be pre-activated.

Infermedica cookie banner — Infermedica cookie consent banner

Cookie banner that explains each and every cookie and gives separate consent options
While the banner is displayed to the user on a website or web app, it must block all cookie scripts that collect user data.
The banner should not prevent access to the privacy policy or other legal notice on the website.
Do not load cookies unless the users give their consent using an explicit action, such as ticking a checkbox or clicking a button on the banner.
To demonstrate proof of consent (Art. 7[1] of the GDPR), an indirect identification (Art. 11) of the user is enough.
There must be an option on the cookie banner or consent tool to let users withdraw their consent and it must be as easy as giving consent (Art 7[4] of the GDPR).

cookie consent withdrawal button — Button to change cookie consent on website’s homepage

Do not use the “OK” (or similar dismissive terms) button along with cookie settings. It robs the users of a “free” and “genuine” choice for refusing consent.

cookie banner with OK button — Invalid form of collecting consent

The users must be able to visit the website even if they refuse to consent to cookies.
Silence, inactivity, or non-affirmative actions, such as scrolling through a page does not indicate consent.

How CookieYes cookie consent solution helps

CookieYes is a web app for cookie consent management for your website. It helps you to comply with GDPR, CCPA, LGPD, and ePrivacy Directive for cookies. It is easy to add a cookie consent banner to your website and manage its operations with our solution. It supports major CMS, such as WordPress, MODX, Magento, Drupal, Joomla, Blogger, Shopify and Squarespace.

CookieYes’ features will help your website to comply with the DSK cookie consent requirements. Let us take a look at them:

Customize the content, layout, and color scheme of the cookie banner.

Customize the label and color of the consent buttons

Automatically block non-essential cookies, such as Google Analytics, before the users give their consent (when the banner is displayed).
Disable pre-activation of cookies before consent.