Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Hesse: Higher Regional Court of Frankfurt issues decision on liability of placing cookies without consent

On June 27, 2024, the Higher Regional Court of Frankfurt issued a decision in case No. 6 U192/23 in which it held a company liable for placing cookies via a third-party website without prior consent from the data subject, in violation of the Telecommunications Digital Services Data Protection Act (TDDDG)

Background to the decision

The Court outlined that a company provided advertising and analytics services, which allow website operators (third-party providers) to place advertisements in the company's or other partner websites' search network and measure the success of their advertising campaigns. The company provides website operators with a code that can be integrated into their various applications, and once the page is accessed, the code is activated, and the cookie is set or read.

The Court highlighted that the website operators are independent companies that set themselves the appropriate programming to place cookies. Furthermore, the company obliged the website operators, through terms and conditions, to ensure consent requirements were fulfilled.

The data subject claimed they visited several third-party websites and that the company's cookies were placed on their device without their consent. They then filed a request with the Regional Court of Frankfurt am Main for an injunction on the company to stop using the cookies. The Regional Court dismissed the case, and the data subject appealed to the Court in the present case.

Findings of the Court

The Court held that under Article 25 of the TDDDG, a provider of electronic information and communications services is prohibited from storing information on an end user's terminal equipment or from accessing this information unless the end user has given their consent.

Furthermore, the Court determined that the fact that the website operators are contractually required to obtain consent does not relieve the provider of the service (the company in this case) of the liability. Thus, the Court clarified that the provider of the service, as an entity that stores and accesses stored cookie data, is responsible for ensuring that consent has been obtained under Article 25 of TDDDG.

Outcomes

The Court issued an injunction on the company to refrain from placing and storing cookies on the data subject's device without their consent, subject to a fine of €250,000 for violating the injunction.

You can read the judgment, only available in German, here.