ECJ judgments C-40/17 and C-673/17 on the use of social media plugins and cookies.
The European Court of Justice (ECJ) has ruled on the use of social media plugins and cookies in two recent decisions. Both decisions have implications for the use of online marketing technologies on websites.
In decision C-40/17 of 29 July 2019, the ECJ dealt with questions of responsibility in the use of social media plugins and ruled that website operators are to be considered responsible for the processes of collecting personal data from website visitors and passing it on to the providers of embedded social media plugins. (cf. para. 84f). In order to be able to activate social media plugins when a website is accessed, the website operator must already provide information on data protection law before activating the plugin and obtain consent for use from the website visitors.
In the decision C-673/17 of 01 October 2019, the ECJ primarily discussed the effectiveness of consent in the use of tracking cookies and the associated information requirements. The court pointed out that according to the requirements of EU Directive 2002/58, “the storage of information or access to information already stored in a user’s terminal equipment [e.g. cookies] is only permitted if the user concerned has given his consent on the basis of clear and comprehensive information (…).” It is irrelevant whether the information accessed is personal data or not (cf. para. 71).
With this decision, based on EU Directive 2002/58, the setting and reading of cookies would in principle only be permitted with the consent of the user. However, EU Directive 2002/58 has not been implemented in Germany. Since EU directives do not have direct horizontal legal effect, the rules are not directly applicable nationally. Thus, there is currently no obligation in Germany to generally request consent for cookies. However, the ECJ’s ruling sets a direction. It is expected that a binding regulation will be introduced by the new ePrivacy Regulation, which has not yet been adopted. It is also possible that even before the ePrivacy Regulation comes into force, the German Telemedia Act will be revised with a regulation for cookies that conforms to European law.
For the time being, the recommendations of the state data protection commissioners should be taken into account when using cookies. The supervisory authority in Baden-Württemberg is currently of the opinion that consent for the storage or reading of cookies, among other things, is not necessary if cookies:
- are technically necessary to provide a service (e.g. session cookies),
- enable the “shopping cart” function or save settings (such as font sizes or similar) and are only used for this purpose.
However, consent is always required for cookies if they are used “to analyse and track user behaviour for advertising purposes or to have it analysed by third parties” (LDSB-BW, 2019). Effective cookie consent is also a contractual requirement for using some Google services (e.g. Google Adsense), see: https://www.google.com/intl/de/about/company/user-consent-policy/.
With the ruling C-40/17, the use of plugins of social media services on one’s own website without prior information and request for consent seems impossible in the future. We therefore recommend that you refrain from using the standard plugins offered by the social media services. Instead, use data protection-compliant Shariff buttons or a so-called 2-click solution and inform about the data processing when using plugins.
Lassen Sie von Ihrer Werbeagentur überprüfen, ob Plugins von Drittanbietern datenschutzkonform eingesetzt werden können. So lassen sich beispielsweise YouTube-Videos auf der eigenen Webseite mit datenschutzfreundlichen Einstellungen und ohne das Setzen von Cookies durch Google einbetten. Sofern auf Ihrer Webseite Cookies gesetzt werden sollte generell ein Cookie-Banner angezeigt werden, in dem auf die Datenschutzerklärung hingewiesen wird. Zur weiteren Verwendung von Cookies lassen Sie sich zunächst von Ihrer Werbeagentur eine Liste der auf Ihrer Webseite eingesetzten Cookies und deren Einsatzzwecke zusammenstellen. Notwendig sind auch Informationen, ob Cookies für eigene Zwecke selbst gesetzt oder von einem Drittanbieter verarbeitet werden. Lassen Sie überprüfen ob auf bestimmte Cookies bei der Bereitstellung der Webseite verzichtet werden kann. Aus dieser Zusammenstellung ist im Folgenden zu entscheiden ob eine weitergehende Cookie-Einwilligung auf Ihrer Webseite notwendig ist. Wenn Sie weitere Fragen haben oder Unterstützung benötigen können Sie sich an uns wenden. Wir helfen Ihnen gerne weiter.
Referenzen:
Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e. V. (Case C 40/17). Available at: http://curia.europa.eu/juris/document/document_print.jsf?docid=216555&text=&dir=&doclang=DE&part=1&occ=first&mode=DOC&pageIndex=0&cid=5824814Bundesverband der Verbraucherzentralen und Verbraucherverbände v Planet49 GmbH (Case C 673/17) Available at: http://curia.europa.eu/juris/document/document_print.jsf?docid=218462&text=&dir=&doclang=DE&part=1&occ=first&mode=lst&pageIndex=0&cid=6076996
Landesdatenschutzbeauftragter Baden-Württemberg (2019), „Zum Einsatz von Cookies und Cookie-Bannern“ [online]. Available at: https://www.baden-wuerttemberg.datenschutz.de/zum-einsatz-von-cookies-und-cookie-bannern-was-gilt-es-bei-einwilligungen-zu-tun-eugh-urteil-planet49/