Against this background, it makes no difference whether the information stored in the user's device or the information retrieved therefrom is personal data or not, it goes on to say. The Federal Court of Justice (BGH) wanted to know this question from the ECJ. The German court had asked the European court to interpret the EU data protection rules in the course of a German dispute.
The dispute from Germany revolves around an online raffle of the supplier Planet49. The BGH will make its own ruling in this case, but taking into account the current decision from Luxembourg. Other German courts dealing with the topic of cookies are now bound by the ECJ ruling.
Cookie-setting can also be prevented technically
In the raffle of Planet49, the user hit two check boxes before he could confirm his participation in the raffle with a button. A box that allows the user to set a cookie in his browser was already checked by default. The ECJ now stated that the approval had to be given for the specific case. If someone confirms his raffle participation, this is still no effective consent to cookie-setting.
In its ruling, the ECJ has now also made it clear that users must receive information about the cookies used - for example about the duration of their function and any third-party access.
As a rule, users can also configure their browsers so that no cookies are stored. Likewise, cookies in the browser can be actively deleted. However, most users are likely to use browsers with the default settings.
Where does active approval begin?
The Verbraucherzentrale Bundesverband (vzbv) had filed an injunction in the face of the Planet49 raffle (Case C-637/17), not only because of the cookie check mark, but also in view of the company's unusually wide usage conditions: users should give permission for Many companies may contact them by phone, e-mail or post.
On the subject of cookies, the question was, when an explicit consent of the user can be assumed. ECJ Advocate General Maciej Szpunar had already suggested in March that it was not sufficient if the consent of the user is pre-formulated and the user must actively object if it disturbs the data processing.
"In the latter case, one does not know whether such a preformulated text has been read and understood," wrote Szpunar at that time. The situation is not free from doubts. "A user may or may not have read the text - he may have omitted to do so out of sheer negligence - in such a situation it is not possible to determine whether the consent was given voluntarily."
Up to now, German providers have mostly relied on section 15 of the Telemedia Act for cookies. It states that service providers are entitled to create usage profiles for the purposes of advertising, market research or the needs-based design of telemedia using pseudonyms provided the user does not object to this. The service provider, however, has to inform the user of his right of objection. In addition, the usage profiles should not be merged with data about the one behind the pseudonym.