Germany: DPAs issue statements on consent, cookies, and Google Analytics
In particular, the DPAs called upon website operators that utilise services of third parties to assess whether they comply with consent obligations, and highlighted that website operators require explicit consent of the visitor of a website if operators want to utilise the services of third parties, which in turn use the acquired personal data for their own purposes. In particular, the DPAs stressed that the requirement for consent would also apply to analytical tools if the third party uses the data, as in the case of Google Analytics, as well as more detailed information about the behaviour of website visitors such as keyboard entries, mouse clicks, or swiping movements. In addition, the DPAs stated that it can be considered permissible for website operators to calculate the reach of their website through the number of visitors per page, the devices used and language settings, if this is conducted by a contractor ('Auftragsverarbeiter') and in accordance with Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, the DPAs noted that the data processor may not use the data for its own purposes and highlighted in this regard, that Google Analytics has been developed in recent years in such a way that it no longer constitutes an order processing ('Auftragsverarbeitung') tool in its current design.
Moreover, the DPAs outlined that website operators must assess their websites promptly with regards to third party content and tracking mechanisms and delete services that require unambiguous consent if they have no valid mechanism in place to obtain it. Finally, the DPAs stated that data processing for which consent is required may only start after consent was given, and emphasised that continued navigation in the framework of a simple cookie banner does not constitute consent, nor does the pre-selection of check boxes. The DPAs warned that former guidance issued by DPAs on the issue is no longer appicable, that non-compliance may lead to fines, and that investigations have been started.
You can read the Federal Commissioner for Data Protection and Freedom of Information press release here, the Hamburg State Commissioner for Data Protection and Freedom of Information press release here, the Berlin data protection authority press release here, the North Rhine-Westphalia data protection authority press release here, the Rhineland-Palatinate data protection authority press release here, the Hessen State Data Protection Commissioner press release here, the Lower Saxony data protection authority press release here, and the Schleswig-Holstein State Commissioner for Data Protection press release here, all only available in German.