Germany's Cookie Consent Requirements

German cookie law changed on May 28, 2020.

Now, you can't use marketing or nonessential cookies without getting someone's express consent. If you're still using pre-ticked consent boxes in your Cookie Notice, you need to switch to blank boxes right away. Individuals can then decide if they want to accept cookies from you or not.

We'll go over everything you need to know below. For starters, just note that there has been a huge change in the way Germany protects personal information, and it probably affects your business.

First, let's be clear on where consent requirements come from.

Consent Requirements

German cookie consent requirements come from 3 places:

• The General Data Protection Regulation (GDPR)
• The ePrivacy Directive (more on that below)
• Case law i.e. court judgments

Combined, these sources tell us that EU citizens must give free and informed consent for personal data collection. Personal data under the GDPR means any data that's used to identify a living person.

This includes online identifiers such as cookies. So, if you're placing cookies onto someone's device, you need their consent unless an exception applies.

Exceptions to Consent Requirements

There are only 2 exceptions to the consent rule that concern us.

First, if you don't use any cookies, even functional cookies, you don't need to worry about consent rules. However, very few websites fall under this category.

The other more important exception is essential cookie processing.

Service providers and website owners don't need consent if they can prove the cookies are necessary to provide a service. This must be the service requested by the customer. Here are some examples of essential cookies.

• They allow your website to load correctly
• They enable users to put items in a shopping cart and proceed to the checkout
• They protect sensitive personal information as it moves across a network e.g. when a customer inputs bank details to access their online bank account

Cookies aren't essential just because they improve the user experience on your website. They must be necessary to complete a service the customer requested.

In other words, the only website owners who don't need to comply with these new German cookie consent requirements are those who:

• Don't use any cookies at all, or
• Only use functional or essential cookies

So, how do you comply with these requirements, and why does compliance matter?

It'll all make more sense if we briefly consider the recent German decision and the other key piece of legislation: the ePrivacy Directive.

Planet49 & the ePrivacy Directive

Back in 2013, Planet49 ran an online competition. To enter, participants submitted their name, address and postcode, and consented to 2 things:

• Marketing communications by post or SMS
• Analytics and marketing cookies

The first box on marketing communications was left blank.

However, the second box, for analytics and marketing cookies, was pre-ticked.

The Federation of German Consumer Organisations (VZBV) received complaints from participants and raised a court action. The German Federal Court asked the European Court of Justice (ECJ) for advice.

The ECJ ruled that Planet49's actions breached consent rules under the GDPR and the ePrivacy Directive. Here's why.

Consent Under the ePrivacy Directive

Section 17 of the ePrivacy Directive says that consent must be:

• Freely given
• Specific
• A clear indication of what the person wants

A checkbox is an acceptable way to obtain consent:

So, what did the court find in this case?

• The blank checkbox complied with consent guidelines
• The pre-ticked box was unlawful
• Consent obtained through pre-ticked boxes is invalid because it falls short of the legal standard

It's worth noting that Germany hasn't actually adopted the ePrivacy Directive in full. That's why German cookie law is still playing catch-up with the rest of the EU.

So, the Planet49 decision doesn't change the law completely. It does, however, have 2 significant consequences:

• German data protection and cookie laws will now be interpreted in line with Article 5(3) of the GDPR
• German cookie law that's inconsistent with Article 5(3) could now be disregarded.

The implications are simple, but let's make sure we're clear on them before we move on.

• Consent is only valid if it's given freely given
• The person must do something to give their consent i.e. consent must be obvious
• You must tell people about the cookies you plan on using. Consent isn't valid if people don't know what they're consenting to.
• Websites must use blank checkboxes or some similar tool to obtain valid consent

If you use any nonessential cookies at all, you need to understand what this judgment means for you. If you don't comply with the new requirements, customers can raise complaints against you, and they'll probably be successful.

You might still be wondering if these changes affect your particular business. Perhaps you don't have many German customers, or you don't use many - if any - marketing cookies. Do you need to change your cookie practices on your website?

Maybe not, but you probably should, anyway. Here's what you need to know.

How to Comply With Germany's Cookie Consent Requirements

In short, here are the steps you need to follow to comply with German cookie consent rules:

• Have a Cookie Notice
• Display it on your website
• Use blank checkboxes or some other tool to obtain consent
• Publish a Cookie Policy

This is all simpler than it sounds. Let's break the steps down.

Your Cookie Consent Notice

Your Cookie Consent Notice should include a few sentences explaining:

• That you use cookies
• Why you use them
• How people can amend their cookie settings

You also need to get consent via the Cookie Notice.

Here's a great example from American Airlines. It's clear that the airline uses cookies, and why. People can amend the cookies installed by changing their browser settings.

Finally, it's obvious that clicking "continue" means someone accepts the Cookie Policy:

What else does this banner have? A blank checkbox.

Using the Right Checkbox

It's probably obvious by now, but the checkbox is the most important part of the cookie banner.

You don't need consent for essential or functional cookies. It's okay if you use a pre-checked box for these, like T Nation does here:

If users don't agree to necessary cookies, they can't use the website, which is reasonable.

What's more important is that the other checkboxes remain blank. The user must then take an action, like checking the box, to give consent.

So, if someone wanted to consent to all the nonessential cookies, the boxes would look like this:

You don't need to use actual checkboxes. You can also use sliders. People must drag the slider to the "accept" position to accept the optional cookies.

Here's an example from the UK's Information Commissioner's Office (ICO).

There's no option to turn essential cookies off, which we know now is okay. However, the user must turn analytics cookies "on" if they want to accept them:

You could also do this for various types of cookies, for example by having one slider for analytics, one for marketing, and so on.

Finally, you can have simple "accept all" or "deny all" boxes or toggles.

Here's an example from the UK's Daily Mail newspaper. People can opt in or opt out from all nonessential cookies in one go without checking multiple boxes. This is a great option for websites that use a lot of nonessential cookies, such as news outlets and other multinational websites:

All that matters is that people can clearly choose whether to accept nonessential cookies or not. So long as you get express consent, the exact box you use doesn't matter so much.

How to Display Your Cookie Consent Notice

You can put your Cookie Consent Notice anywhere on your landing, so long as it's visible. It should always be on the landing page, so it's one of the first things that people see when they land on your website.

Common places to display the notice include:

• Footer
• Header
• Pop-up box in the center of the screen
• Side panel

Your Cookies Policy

You need a Cookies Policy if you use any nonessential cookies at all. You also need to include certain clauses to comply with German and EU requirements.

A Cookies Policy is basically a legal document that sets out:

• What cookies you use
• Why you use them
• What happens to the data you collect
• How people can opt in or out of cookies

We're not going into too much detail here, but here's a quick checklist of the main clauses you need to include in your Cookies Policy, with examples from Rogue Fitness USA.

Cookie Use

Sure, cookies are pretty common, but you can't assume that everyone knows what they are. Your introduction should specify:

• Whether you use cookies or not, and
• What cookies are

Rogue Fitness briefly explains that it uses cookies, then provides a short summary of what cookies do:

This is all you need for this section of the Policy.

Types of Cookies Used

Next, you should set out what cookies you use, including even the essential ones. Examples include:

• Functional cookies
• Essential cookies
• Marketing cookies
• Analytics and statistical cookies

Rogue Fitness lists the cookies it uses and briefly explains what each cookie does. You'll note it includes essential cookies:

You only need a line or two for each cookie. The explanations should be user-friendly and easy to understand to make sure people know exactly what they're consenting to.

The Purpose of Cookies

Once you've established which cookies you use, explain why you use them in the first place. You only need to give enough detail for people to make informed consent.

Rogue Fitness first sets out some general reasons why it uses cookies:

How to Adjust Cookie Settings

Explain how users can opt in or opt out of cookies on your website. Typically, all this means is telling people they can delete cookies from their browser. You can also leave an authoritative link to somewhere they can find out more about cookies.

Again, all you need is one or two brief lines:

If you don't have a Cookie Policy, you need to write one now. If you have one, make sure it complies with German cookie consent requirements.

Penalties for Non-Compliance

What happens if you don't comply with Germany's cookie consent requirements? Well, the authorities have the power to:

• Give written warnings
• Issue fines and other financial penalties
• Delete data you collect without consent
• Restrict who you share data with e.g. third parties
• Ban your processing activities, either temporarily or permanently

So, if you fail to comply with German cookie consent requirements, you could face reputational and financial damage. Since it's fairly easy to comply with the new rules, you should change your Cookie Notice sooner rather than later.

Even if you don't use marketing or analytics cookies right now, you might in the future, so don't forget your responsibilities under German law.

Conclusion

German cookie consent requirements are much clearer than before. Although Germany hasn't formally adopted the EU's ePrivacy Directive, the law is aligned with other Member States.

There's no need to ask for consent to place essential cookies. But now, people must opt in to marketing, analytics, and other nonessential cookies. You can't use pre-checked boxes anymore. In other words, you can't use an opt-out model.

To comply with German cookie law, you must:

• Write a Cookie Policy and publish it on your website
• Display a Cookie Consent Notice or pop-up banner explaining that you use cookies
• Link to your Cookie Policy within the notice
• Give people the clear choice to opt in rather than opting out

You don't need to use checkboxes. You can use sliders and similar tools.