Simply put, a cookie on a website helps a user recognize and facilitate surfing the site. For example, a website can remember what was in a shopping basket, even if the website was closed.
Now, the legitimate question arises, why the whole thing so much complicated and why it for this (apparently) consistently positive code snippets ever required a consent. The flip side is: with cookies, users' data can also be misused.
Just imagine, you would like to refresh your love life and surf on the online shop of (for example) Beate Uhse. There you will also find something and put various "toys" in your shopping cart. However, as you are unsure if your partner would really enjoy it, close the website. However, the cookie that remembered the contents of your shopping cart is still on your computer or has already been distributed to third parties in some other way. This usually means that you can now see other offers from the Beate Uhse and Co. category on other websites as well. You notice, the cookies can also drift in a direction which might not be quite in your favor. However, this is just one aspect of why cookies need to be regulated.
The (right-) safest answer is: do not use cookies to which the user has not consented.
In detail, this means that you are only in (completely) safe waters if you have obtained the consent of the user before calling the page for the first time. This must be done in such a way that - before any data is collected from the user - a cookie warning appears and the website visitor is informed as specifically as possible which data is collected from him, what it is used for and to which other people it is sent Circumstances are passed on.
In the light of the judgment of the European Court of Justice of the 01. October 2019, AZ: C-673 / 17, the form must be designed in opt-in style. In other words, the user himself must agree by clicking on the set cookies that his data will be collected, transmitted and used. He must therefore expressly confirm that he agrees with this data processing and data collection.
That this procedure for the operation of many websites is simply impossible or enormously limits the so-called "user experience" of the website, should also be obvious.
The answer is difficult. To be on the safe side, follow the path outlined above.
But the question must also be, what is the consequence if you break this path. Here it is important to realize the consequences. In doing so, we differentiate primarily between measures taken by data protection authorities and measures taken by competitors, authorized associations etc.
In particular, the General Data Protection Regulation (DSGVO) becomes relevant. The supervisory authorities are granted extensive investigative and remedial powers to enforce data protection regulations. Most site owners fear huge fines of up to 20 million euros or 4% of worldwide sales last year.
But is this fear absolutely justified? The answer is yes and no. Yes, the fines are imposed. No, one will not (only) have to stop his business because of a fine imposed. Until the state today in Germany about 130 publicly communicated fines were imposed with a total of about 700.000,00 €. In mathematical terms, this means that a single penalty is about the value of 5.500,00 €. However, one must say that this is a calculated value, which varies greatly from state to state. Nonetheless, this value should make it clear that a fine imposed can be painful but not life-threatening. Also, penalties in the form of a fine are already a harsh sword of the DPA. Usually, the data protection authorities initially use warnings and instructions (Art. 58 DSGVO). In our experience, it is not a request of the data protection authorities about fines to finance the state treasury.
So, is it best to do nothing and wait for a warning or a fine from the DPA?
Certainly not! In addition to the data protection authority, there are (among others) competitors who can make their lives difficult.
More dangerous than a sanction should be warnings from competitors. After all, competitors simply do not have to accept when other competitors do not comply with laws and regulations. With a warning, such anti-competitive behavior can be sanctioned.
The cost of a warning can easily be 2.000,00-3.000,00 € per warning. Worse, however, is the associated omission explanation, which is usually required. This contains an obligation that you behave in accordance with the rules in the future. Failure to do so will result in forfeiture of a contractual penalty, which can easily amount to a multiple of the reminder sum.
The unsatisfactory answer is: it can happen.
That is why there is not, because there is still disagreement between the courts, whether the GDPR can be warned with unfair competition law (UWG). So decided the district court Bochum (decision of the 07.08.2018,
Az: 12 O 85/15) that the GDPR cannot be warned in connection with the UWG. The Wiesbaden Regional Court ruled in a similar manner (judgment of November 05.11.2018, 5, Az: 214 O 18/18.01.2019). The Magdeburg Regional Court also follows this view (judgment of January 36, 48, Az: 18 O XNUMX/XNUMX).
However, these tendencies seem to exist only in the lower-ranking courts. Thus, the Hamburg Higher Regional Court ruled in the judgment of 25.10.2018, Az: 3 U 66 / 17) that a warning is very permissible. The higher regional court Munich sees this with judgment of the 07.02.2019, Az: 6 U 2404 / 18 likewise.
You should definitely put one on Privacy law and competition law specialist lawyer contact, This advises you whether the warning is justified or unjustified - also on the basis of the competent court for you.
This question should be imposed on the vast majority of website operators. The pleasing answer is yes!
If one looks more closely at the request of the state data protection authorities, it becomes clear that this is not aimed at blocking the competition and realizing fines. In the vast majority of cases, it rewards the responsible state data protection authority considerably, if one shows the good will and at least technically prepares itself so that the user is returned the sovereignty over his data. Specifically, this means that you should present a display of the collected cookies to the user and in the case of an online shop (eg.) All the necessary cookies for operating the online shop are preselected. All other cookies such as Google Analytics, the user with a button "Accept all cookies" could then easily select. In any case, you can achieve your goal of being able to continue operating your online shop (almost) without any restrictions and at the same time significantly reduce the likelihood of a sanction by the state data protection authority.
The same applies here. A competitor can only effectively warn you if he himself follows all the rules. Conversely, if he follows all the rules, it means that he would (almost) have to paralyze his own website due to numerous cookie hints and consents. Then, however, the legitimate question arises whether he really is still a competitor. Because if he achieves no or hardly any sales (in the case of an online shop) due to these measures, his competitive nature and thus his Abmahnbefugnis should put into question.
However, if the competitor does not implement everything technically on his own website technically, you are entitled to the objection of the so-called "Unclean Hands". At the same time this represents a very effective defense against such warnings.
As shown, it is always worth considering the subject matter of the cookies and the applicable law. Also, one should not take the inclusion of cookies in the own website on the light of shoulder and take any sanctions and warnings also very seriously. On the other hand, it is important to subject the realistic consequences to a critical examination and not to be too intimidated by them.
In any case, if you do nothing, you are at enormous risk. Those who seriously strive to comply with the GDPR will only rarely have problems with the national data protection authorities or competitors.
Your comment
Participate in discussion?Leave us your comment!