They increasingly appear on websites – Information Banner containing this or similar wording: “This website deploys cookies – in case you continue using this website, you consent to deploying cookies on your browser.” Typically, there would be an additional link to a cookie policy containing more information on deployed cookies. This is not really of interest to any user. It is therefore surprising that most website operators are under no obligation to provide cookie banner or cookie policies under German law.
1. Consent Obligation under the Cookie-Directive
The E-Privacy-Directive as amended by the Cookie-Directive contains in Art. 5 (3) a provision requiring to inform users in a comprehensive manner about cookie deployment and to collect their consent (i.e. an opt in regime). The only acceptation applies to technically necessary cookies, such as session cookies in online-shops containing information on shopping baskets’ contents or language settings. The exception does, however, not apply to the majority of cookies deployed. As a matter of principle, cookies banner and cookie policies would hence be required under Art. 5 Abs. 3 E-Privacy-Directive for deploying cookies.
2. No Change under German Law
A EU Directive, such as the E-Privacy-Directive, does not directly apply in the Member States. Rather it requires transition into the Member States’ laws to become binding for its’ citizens (i.e. private website operators). There were two initiatives for implementing Art. 5 (3) E-Privacy-Directive into a new Section 13 (8) German Telemedia Act (Telemediengesetz – TMG). Until today no initiative was brought to an end in the legislative process. While the transition deadline has expired as of May 2011 – different from any other European jurisdiction – there is no transition of Art. 5 (3) E-Privacy-Directive in German law. Therefore, website operators continue to be subject to the “old” TMG rules implemented before entering into force of the Cookie-Directive.
Under said rules, website operators must
„[…] inform the user upon the beginning of using the telemedia service about kind, extent and purpose of using his personal data […] in a generally comprehensive manner […]“,
by providing information on cookie deployment in a privacy policy. There is neither an obligation for providing cookie banner nor cookie policies.
Under Section 15 (3) TMG, website operators may collect, retain and process data collected with cookies in pseudononymous profiles unless the user has objected (i.e. declared to opt out). Upon such opt out declaration, website operators must ensure to refrain from any profiling activities. In order to comply with these requirements, it suffices to provide information in the privacy policy including sufficient technically effective opt out means.
Possible opt out means are, inter alia, the online preference manager of the „Bundesverbands Digitale Wirtschaft e.V.” providing for the possibility for users to express opt out vis-à-vis participating companies in regard to various cookies. An alternative opt out mechanism would be activating a „Do Not Track HTTP-Header-Field“. The latter was expressively considered an effective opt out means by the German Data Protection Authorities and the Art. 29 Group. In addition, there are opt out mechanisms for individual tracking technologies such as browser add-on for Google Analytics.
3. Would the Cookie-Directive Apply Regardless?
There is an obvious and from the EU Legislator’s perspective undesired gap between Art. 5 (3) E-Privacy-Directive and the TMG leaving the question of legal effects to website operators obligations. To start with the answer: private website operators are under no obligation for providing cookie banner, cookie policies or the like; they continue to be subject to the “old” TMG provisions. Public website operators are subject to the directly applicable provision of Art. 5 (3) E-Privacy-Directive obliging them to inform their website users and providing an opt in mechanism.
The German Government doeswith surprising arguments appear not to share this legal view. According to their view, the Cookie-Directive does not need to be implemented into German law as their requirements would already be included in TMG. Consent obligations as stipulated in Art. 5 (3) E-Privacy-Directive would follow from Sections 12 and 15 TMG; information obligations from Section 13 (1) TMG. This view is not convincing at all. Under Section 15 (3) TMG website operators may collect and process cookie data in pseudononymous profiles for marketing and market research purposes without any requirement for an opt in requirement.
The EU Commission does not share the German governments opinion either and considers the Cookie-Directive as not being transferred into German law (full study as PDF):
„When looking at the way Article 5.3 has been transposed by the Member States, a first observation to make is that this provision has not been transposed by the German legislature.“
However, there are so far no proceedings for violating the obligation to implement the Cookie-Directive.
In order to prevent the mentioned deviations between E-Privacy-Directive and TMG one could consider the option to interpret the TMG in light of the E-Privacy-Directive and interpret it (against its clear wording) as providing for the Cookie-Directive’s requirements. Following the ECJ’s principles, Member States’ courts must consider wording and aim of Directives when interpreting their national laws – there would, however, be no obligation for applying national laws against their clear wording. This prevents considering Art. 5 (3) E-Privacy-Directive for interpreting the TMG in said way.
While Art. 5 (3) E-Privacy-Directive does not play any role for private website operators, for public website operators it is the opposite. For them, Art. 5 (3) E-Privacy-Directive even applies directly. Directly applying a Directive requires under the ECJ’s principles (i) lacking implementation into the Member State’s laws (the respective deadline ended in May 2011), and (ii) sufficiently clear requirements in the directive. Both requirements are fulfilled for the Cookie-Directive. In particular, the wording is sufficiently clear as the “word-by-word” implementation in many Member States and in the German legislative drafts prove.
The directive does apply to public website operators only. Under the ECJ’s principles, directives may be applied directly only to prevent disadvantages of a Member State’s citizens vis-à-vis the Member States public bodies. There is no direct application in the relation of citizens to each other (no horizontal direct application of directives).
4. Conclusion
Art. 5 (3) E-Privacy-Directive as amended by the Cookie-Directive is not implemented into German law (i.e. the TMG) it applies regardless to public website operators. For private website operators, there are no legal effects from Art. 5 (3) E-Privacy-Directive in the current version. They are subject to the “old” set of rules and must inform about cookie deployment and provide opt out means only. Also private website operators should be aware they might be subject to Art. 5 (3) E-Privacy-Directive information and opt in requirements where operating their website is subject to other Member States laws having implemented respective rules. In addition it is advisable monitoring whether there are any initiatives for amending the TMG to comply with the Cookie-Directive’s requirements.