As early as October 2019, the European Court of Justice (ECJ) ruled that when a website is accessed, the setting of cookies requires the active consent of the website visitor. This does not include cookies that are technically necessary to ensure the functionality of the website. The European Data Protection Board (EDPB) has now updated its guidelines on consent for websites and once again emphasized the urgent need for correct cookie consent. Learn more about this in our blog article.
New guidelines as of May 2020
On May 5th, 2020 the European Data Protection Board (EDPB) updated its guidelines on consent for websites. This can already be viewed here in English. In the guideline, the EDSA again points out that access to a website must not depend on whether a visitor accepts cookies or not. Even the simple continued use or the simple click on “OK” in the cookie banner does not constitute an effective consent within the meaning of the GDPR. This update emphasizes the judgment of the ECJ of October 1st, 2019.
Personal data in cookies
Cookies are small text files that are stored on the visitor’s computer when a website is called up. Due to various ID numbers that are contained in cookies, website visitors can be identified when the website is accessed again. Cookies may therefore contain personal data and must therefore be taken into account in accordance with the GDPR.
Insufficient cookie banner
“If you use this website, you agree to the activation of cookies”
Cookie banners with such or similar texts do not represent effective consent within the meaning of the GDPR. The EDSA also makes it clear that there is no clearly confirmed action here. Such “cookie walls” contradict the aspect of voluntariness and thus violate the General Data Protection Regulation. Possible selection fields for the use of technically unnecessary cookies must be explicitly set by the website visitor and must not be active by default.
GDPR fines for inadequate cookie banners
Insufficient cookie banners on websites should not be underestimated in terms of data protection. This shows an existing judgment in which the Spanish supervisory authority imposed a fine of € 30,000 because a website operator had not implemented his cookie consent in accordance with data protection regulations.
“The Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies. “Source: https://www.enforcementtracker.com/
This judgment is an incident from Spain. However, it cannot be ruled out that German companies will not have to expect the same or even higher fines.
The updated guideline of the EDSA and the quote from the German Federal Commissioner for Data Protection and Freedom of Information Professor Ulrich Kelber make this clear:
“There are still websites that, due to their structure, impose tracking on users. The updated guidelines make it clear again that consent cannot be enforced. […] I would like those responsible to draw the right conclusions from this and finally offer data protection-friendly alternatives. ”
Website checks by aigner business solutions GmbH
Unser Team – Ihr Vorteil | Hier stellen wir uns vor.
Unser Team besteht aus erfahrenen Juristen, Webspezialisten, IT-Experten, zertifizierten Datenschutz- und Informationssicherheitsbeauftragten. Mit unserer Erfahrung, Expertise und erprobten Verfahren, helfen wir Unternehmen, praxisnahe Lösungen im Bereich Datenschutz und IT-Sicherheit zu finden. So helfen wir beispielsweise bei der Umsetzung der DSGVO oder der Einführung von Informationssicherheitsmanagementsystemen (ISMS).
This post is also available in: German