An advanced user’s guide to cookie consent managers
Research & Advisory / 20 August, 2020
  • Share

  • 1803

  • 0

  • Print
Legal Consultant
Maj-Kristin ist Syndikusrechtsanwältin an der Frankfurt School.

To Author's Page

More Blog Posts
Banks and Climate Risk Exposure – why do banks care about climate risk?
The joys and challenges of a researcher in sustainable finance
Drivers of political polarization in the USA from 1994 to 2017

Frankfurt School of Finance & Management best practices for implementing the provisions of the latest German Federal Court of Justice ruling

The ruling issued by Germany’s Federal Court of Justice (BGH) on May 28, 2020 made clear what many people had long suspected: The “opt-out-of-cookies” approach favoured by many German companies violates Germany’s data protection legislation and also – as previously established by the European Court of Justice – European data protection law.

A brief summary of the ruling: Cookies are small text files which many websites store in a cache on your computer’s hard drive when you visit them. The cookies stored on your computer by websites send certain kinds of information back to the owners or operators of these websites. Some cookies play a technical role in enabling particular websites to deliver their full functionality. For example, the shopping baskets used by modern e-commerce services need certain kinds of cookies to work properly. Similarly, if you log into an account on a specific website, the technology that makes the relevant data available to you every time you visit the website needs to use cookies. Ironically, cookies are also required if you decide to withdraw your consent for the use of cookies!

Other cookies, however, are not “technically necessary”. Typically, these include cookies that enable companies to analyse their websites’ performance or display relevant advertisements to visitors based on cookies that track their online interests.

Analysis and marketing cookies require voluntary, informed and documented consent

According to the Federal Court of Justice ruling, websites may only set cookies that are not technically necessary if the user has “given his or her voluntary, informed and documented consent” to the collection of his or her personal data. This automatically invalidates the widespread practice of asking users to opt out by “de-selecting” cookies for website analysis and marketing from a list of preselected cookies (rather than asking them to opt in by selecting the cookies they are prepared to accept).

Frankfurt School’s Legal and Marketing departments have been awaiting the Federal Court of Justice’s ruling with considerable excitement, having already considered how best to implement it. Unfortunately, by their very nature, court rulings rarely take the form of practical, generally applicable recommendations. So we found some useful ideas for implementing a legally compliant cookie practice on our website in the supervisory authority’s guidelines for telemedia providers. The guidelines contain various tips and instructions for, in particular, designing the “cookie consent managers” used by websites to obtain (or revoke) users’ consent to the use of cookies.

Key points for implementing a legally compliant cookie consent manager

Based on the abovementioned guidelines, as well as the recommendations of our external Data Protection Officer and our own in-house legal guidelines, we formulated the following key requirements for implementing a legally compliant cookie consent manager for the website:

  1. The cookie-alert banner must always appear when visitors first access our website; it must not obscure or impede access to our data protection notice or legal notices.
  2. Our (highly accessible) data protection notice must contain the following information, as required by law:
  • Details of the department or unit responsible for processing data (data controller).
  • Details of the individual data processing functions involved (and in particular, detailed information on each of the cookies).
  • Details of the reasons for and purposes of the data processing.
  • Information on the rights of the individual visitor or user (data subject).
  • Details of the services provided to the user.
  • Information on the transfer of the user’s personal data to third parties.
  1. Prior to obtaining the active, informed consent of the person concerned, websites may only set those cookies which are indispensable for the proper functioning of the website (i.e. “technically necessary” cookies).
  2. Websites may only set other cookies – cookies which are not technically necessary – once they have obtained the active, informed consent of the person concerned (i.e. once the visitor has “opted in” to the use of cookies).
  3. At any time, visitors may revoke their consent to the use of cookies that are not technically necessary. Your cookie consent manager should make it just as easy for users to revoke their consent as to grant it in the first place.
  4. To comply with the law, we also use our cookie consent manager to document the fact that we have properly obtained users’ consent or, where appropriate, enabled them to revoke their consent.

Whether a cookie may be classified as “technically necessary” or not will depend on the specific website and what it offers. The criterion for differentiating between the two is whether the “cookie is required to deliver the original scope of functionality”. We have classified our own cookies by applying the above criterion to ensure that only cookies that meet the provisions of the latest FCJ ruling are designated “technically necessary”. Our website only sets any other (non-technical) cookies once you have given your consent.

To technically implement the above requirements, we partially programmed our cookie consent manager ourselves and also worked with a WordPress plug-in on some of the lower-tier pages. In addition to the requirements listed above, it was very important to us that it should only take two mouse-clicks for users to be able to access all information on our cookies and their functions. This is the only way to ensure that visitors to our website are able to make well-informed decisions. Unlike many other websites, we have no desire to obtain your consent “by the backdoor”.

However, from a marketing perspective, analysis and marketing cookies are a vital part of our everyday work. This is why we hope that the more transparent and legally compliant we are, the more ready and willing you will be to give us your consent to use cookies.

We look forward to receiving your consent – and wish you every success in implementing your own cookie consent system!