Terminology

The LfDI Baden-Württemberg uses the word 'cookie' in in such a way that it is supposed to include all other technologies used for tracking and fingerprinting, such as LocalStorage, Web Storage, the readout of advertising- and device IDs, serial numbers, and the use of ETags or TLS-Session-IDs. This Insight article therefore uses the term cookie accordingly.

Negative examples for obtaining consent

In total, the LfDI Baden-Württemberg lists around 150 negative examples likely to originate from its activities as a supervisory authority. This Insight article attempts to explore various cases that are likely to have a very high significance and which best illustrate the authority's positions, based on the LfDI Baden-Württemberg's visual examples of cookie banners.²

Wording of many consent banners considered misleading

According to the LfDI Baden-Württemberg, the wording within consent banners is often misleading and can therefore be considered a violation of GDPR requirements. The misdirection of users begins in the title of some consent banners. Headings, like 'We love Cookies', 'Welcome', 'We respect your privacy', or even 'Help us with your consent', are allegedly deceiving the user about the nature of the request. This kind of heading is also supposed to apply in regard to the wording of the main text. The LfDI Baden-Württemberg assumes a violation of the GDPR, when 'advertising' is stated as a processing purpose instead of 'selling personal dossiers on behavioural observation to a high number of arbitrary third parties'. The banner is supposed to describe the processing purposes and the actual processing at their full extent. Every cookie and other technology involved should be named.

At the same time, information should not be too complex or too divided. Referring to the privacy policy, or other websites, for a substantial part of the information is considered a problematic approach by the LfDI Baden-Württemberg. Supposedly, if the text is too long or complex, it has to be considered incomprehensible, especially if technical terms like 'vendors', 'publisher', or 'processor' or ambiguous terms, like 'essential services', are used.

Visual example 3 provided by the LfDI Baden-Württemberg is supposed to illustrate some of the mistakes mentioned above. Among other things, the banner is considered to have a deceptive heading, to mislead the user with regard to the processing purposes, and to have an insufficient description of the processing. It also supposedly lacks precise information in a simple language.

Anyone who ever had to summarise the process of Real Time Bidding ('RTB') in a few sentences and in a comprehensible manner already knows that complying with the aforementioned requirements will be a major challenge. The processing of data to provide personalised advertising is usually very complex, which is why consent banners often try to reduce the complexity by generalising or omitting certain information. It is going to be a difficult balance act to provide complete, concise, and clear information to users at the same time.

Equal options to give, deny, and withdraw consent

The FAQs clearly state that denial and withdrawal of consent has to be as easy as consenting. Therefore, the LfDI Baden-Württemberg assumes that it would be unlawful to highlight the button to consent or to hide the reject button. The function of a button should also not be ambiguous: 'accept' could, for instance, either mean consent to a limited selection or all tracking functionalities. A denial should be registered in the same way as consent, meaning that websites should not be requesting consent after it has been denied by the user. Companies are advised to carefully consider how consent can be withdrawn within the respective medium and how the user is made aware of this possibility.

Visual example 6 provided by the LfDI Baden-Württemberg is considered an example for nudging and misleading options. Information on how consent can be withdrawn is clearly missing.

Whether or not a banner can be considered user-friendly significantly depends on smart design choices. The design of the banner needs to guarantee the accessibility of all required functions and to communicate these functions to the user. A well thought-out concept will therefore be of crucial importance for legal compliance.

Access requests and third country transfers

Further, of particular interest are the statements of the authority in relation to data subject rights and third country transfers. The FAQs state that companies need to provide access to all relevant data by user request if the user provides a cookie-ID which can be associated to an existing dataset. Accordingly, it must also be possible to object to the processing of this data, to have this data rectified or deleted.

Regarding third country transfers, the LfDI Baden-Württemberg states that large-scale processing in third countries cannot be based on consent. In this context, its assumes that a third-country transfer is not permissible on the basis of consent texts, such as visual example 7 provided by the LfDI.

This implies that the LfDI Baden-Württemberg favours a very strict interpretation of Article 49(1)(a) of the GDPR and the possibility to transfer personal data on the basis of consent. If large-scale transfers cannot be based on consent, there should be almost no cases where companies can reliably transfer data based on Article 49(1)(a) of the GDPR.

No general reference to the TCF

Concerning a possible unlawfulness of the Transparency Consent Framework ('TCF'), the FAQs expressly refer to the decision of the Belgian Data Protection Authority ('Belgian DPA').³ Furthermore, the LfDI Baden-Württemberg emphasises that the use of the standard alone is not enough, it is always necessary to determine whether or not a standard has been implemented in compliance with the law.

Hence, meeting the requirements of the TCF on its own is not sufficient.

Recommendations for the use of cookies without obtaining consent

Looking at the negative examples, the LfDI Baden-Württemberg seems to heavily imply that companies should fundamentally rethink the use of cookies and how consent is collected. Fortunately, the FAQs also list several exceptions to the consent requirement. Under certain circumstances, the LfDI Baden-Württemberg even seems to allow the use of cookies for analytics without obtaining consent.

Example cases concerning the use of required cookies

The FAQs state that consent is not required if cookies enable essential functionalities, like non-default language settings, log-ins, or shopping baskets. Cookies may be used to save the consent status, but without including any identifiers. It is noteworthy that the use of cookies for security purposes is only allowed in exceptional cases and in the event of particular user interactions (e.g. when using the website or application to conduct an election to prevent multiple votes).

Moreover, the LfDI Baden-Württemberg points out that consent may also not be obtained when cookies are essential. Obtaining consent when it is not required even constitutes a breach of the principles of good faith and transparency under the GDPR.

Integration of external (media) content

According to the LfDI Baden-Württemberg, the use of external content is in general only allowed without obtaining consent if measures to prevent access to data by third parties have been implemented. The reason is that, through the (direct) integration of external content, data is directly and automatically transferred to third party providers. Accordingly, the suggested measures also aim to ensure that such data transfers do not occur at all and that contents are integrated locally (e.g. provision of Google Fonts via the own web server).

Audience measurement

Similar to the French data protection authority ('CNIL'), the LfDI Baden-Württemberg states that audience measurement can be performed without obtaining consent, if certain requirements are met. There seems to be legal leeway if the company only uses data that is automatically transmitted.

Within the Guidelines, the German supervisory authorities already stated that the TTDSG does not apply with regard to information that are transmitted inevitably, or due to (browser) settings of the end device, when visiting a website or opening an app. According to the LfDI Baden-Württemberg, this interpretation can be applied in favour of the company when processing data for the purpose of audience measurement and the creation of anonymised statistics.

According to the LfDI Baden-Württemberg, no consent is required by the TTDSG and the GDPR under the following requirements:

• the processing is limited to automatically transmitted data;
• the analysis is carried out using local log file analysis;
• no services of third parties are used;
• the processing of personal data is limited to the absolute minimum;
• there is no combination of usage data, e.g. data from other providers or data from multiple devices; and
• data is not used to identify users for other purposes.

Server-side tracking

The FAQs also rudimentarily addresses the possibility of tracking users via the data on the server (server-side tracking). The LfDI Baden-Württemberg is in principle open to this concept. In its view, the main advantage is that a website or app operator can decide which data is transmitted to third parties and in what form. If the data is completely anonymised before transmission and the use of cookies is excluded, consent might not be required for server-side tracking.

In any case, the implementation of server-side tracking seems to be an option that companies should take a closer look at.

Suggested actions and summary

We recommend to website operators within the jurisdiction of the LfDI Baden-Württemberg to compare their banner and the configuration of their consent management platform with the negative list. A large part of the consent banners currently in use will most likely not comply with the (strict) standards of the authority. So far, the German supervisory authorities have been hesitant to impose orders and fines due to the unlawful use of cookies, but this might change soon. One of the reasons could be that at least some of the German supervisory authorities are likely to have lacked competence regarding possible violations of the TTDSG until very recently.

We also encourage companies to take a closer look at the recommendations of the LfDI Baden-Württemberg regarding tracking without consent. In our view, the FAQs presents some interesting ways on how one can advance tracking technologies to be GDPR-compliant.

Dr Carlo Piltz Partner
[email protected]
Philip Schweers Senior Associate
[email protected]
Piltz Legal, Berlin

1. For more information, see: Germany: DSK Guidelines on the TTDSG
2. Available at: https://www.baden-wuerttemberg.datenschutz.de/faq-zu-cookies-und-tracking-2/ (only available in German)
3. Available at: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-english.pdf