This post originally appeared on BPM Legal’s blog, datenschutzerklaerung.info, at www.datenschutzerklaerung.info/cookie-consent-tools-lg-rostock/. It covers new rulings on GDPR cookie consent, which affect any company, regardless of location, that has website visits from a country in Europe, such as eCommerce companies doing cross-border commerce in European countries.

The European Court of Justice (ECJ) and the German Federal Court of Justice recently decided that the active consent of a website user is required for a website to set cookies for tracking and marketing purposes. But, the judgments haven’t been 100% clear as to what that means regarding some details. The Regional Court in Rostock, Germany, continued this case law in a current judgment, closed some gaps, and made life a little more difficult for website operators moving forward.

Background on User Cookie Consent

In May, the German Federal Court of Justice in the Planet 49 case made the decision that website operators need active consent from users to set cookies to store and analyze user behavior on their websites (judgment of May 28, 2020, Az. I ZR 7 / 16). The court expressly stated that “preset checkboxes” (opt-out) do not represent effective consent.

In the current case, judged by the Rostock Regional Court (judgment of 15.09.2020, Az. 3 O 762/19), the Federation of German Consumer Organizations warned a website operator who had used various cookies and tracking services, including Google Analytics. The operator had implemented a consent tool from Cookiebot on the website. However, it was configured in such a way that checkboxes for the categories “Necessary,” “Preferences,” “Statistics,” and “Marketing” were preselected for the user.

Sample cookie consent banner with preselected options
An example of what the website owner’s cookie consent banner with preselected options may have looked like.

Concerning the specific reasons for the judgment of the German Federal Court of Justice, the Rostock Regional Court is now unsurprisingly stating that no legally effective consent to the use of cookies can be obtained using the Cookiebot banner.

The Interesting Part of the Cookie Consent Verdict Begins

After the warning, the website operator changed the configuration of the consent tool. The checkmarks were gone from the user interface. Instead, the banner contained a green button “Allow cookies” and a light gray button “Allow only necessary cookies.” When the user clicked on the green button, all previously pre-selected cookies were set.

Sample of a cookie consent banner with a green button “Allow cookies” and a light gray button “Allow only necessary cookies.”
An example of what the website owner’s cookie consent banner without preselected options may have looked like.

Similar designs are meanwhile widespread and take advantage of the laziness of the visitor, who often doesn’t read the consent instructions, but instead, simply “clicks away” the banner with the most conspicuous button (so-called “nudging”).

In the opinion of the Rostock Regional Court, however, no effective consent can be obtained even with a consent tool configured in this way. The court stated,

“Effective consent is therefore not possible with the cookie banner now in use. Because here too, all cookies are preselected and are ‘activated’ by pressing the green ‘Allow cookies’ button. (…) The consumer has the option of viewing the details and deselecting individual cookies. However, the consumer will regularly shy away from the effort of such a procedure and therefore press the button without prior information about the details. The consumer does not know what the implications of his declaration are.”

In the opinion of the court, the fact that the reject button was highlighted in gray also leads to the ineffectiveness of the consent,

“The fact that the user also has the option of restricting his consent to technically necessary cookies via the ‘Use only necessary cookies’ area with the cookie banner now used does not change the assessment. In this respect, it should be noted that this button cannot be recognized as a clickable button. In addition, it takes a backseat to the ‘Allow cookie’ button, which is highlighted in green and therefore appears to be pre-assigned. This option will therefore regularly be perceived by a large number of consumers as a non-equivalent consent option.”

What Should Website Owners and Operators Do

The Rostock Regional Court decision puts a stop to nudging. Website operators who have previously used an optimized consent tool and now want to reduce the risk of a warning should make adjustments.

With the judgment in place, it’s recommended that website owners and operators:

  • Ensure that a “Reject” option is included in the banner. Designs where the user is referred to a submenu where he/she can deselect cookies carry the risk of a warning.
  • Ensure the “Reject” option (or an “Only use necessary cookies” button) is not visually hidden or minimized in comparison to the “Allow all cookies” button.
Sample of recommended cookie consent banner with Reject” option (or an “Only use necessary cookies” button) is not visually hidden or minimized in comparison to the “Allow all cookies” button.
An example of a cookie consent banner approach to help website owners avoid the risk of getting a warning. That includes obvious buttons and an option to reject cookies (under “Individual settings).

Cookie Consent Banners Don’t Have to Include a Possibility of Revocation

The Rostock judgment still holds good news for website operators. The court stated that the cookie banner itself doesn’t have to contain any information about the possibility of revoking consent. Art. 7 Para. 3 Clause 3 GDPR says that the user must be informed about the possibility of revoking consent. However, it doesn’t say that the option to revoke be included in the banner itself. A note in the data protection declaration is enough.

Learn More About the ECJ Ruling

To learn more about the ECJ Ruling and cookie consent tools, see the ECJ Ruling: No Cookies without Consent! Whitepaper, also authored by Felix Gebhard.

About the Author

Felix Gebhard is a lawyer and certified data protection officer. Since 2013, he has worked for the law firm BPM Legal in Munich, Germany. BPM Legal primarily advises companies in eCommerce and IT on all relevant legal issues and with a special focus on data protection.