Awareness Services

Privacy criteria in cookies were decided before the ECJ

Privacy criteria in cookies were decided before the ECJ

The European Court of Justice decided on 01.10.2019 at 11:30 a.m. which obligations should apply to Internet pages when handling cookies. This vote was triggered by an online lottery from Germany.

Privacy Policy and Cookies

Cookies store different things, e.g. the shopping cart in an online shop, language or passwords. This means that users do not have to re-enter their language or password each time they visit the site. Cookies are also used for website analysis. Through the use of cookies, returning users can be recognized and their behavior can be analyzed. This helps the operators of the website to adapt the page to the behaviour of the visitors.

Generally speaking, cookies are a useful technique, but they must be treated with caution, as we reported in 2016.

As soon as cookies store personal data, e.g. name, IP address or email address, data protection comes into play. Since 25 May 2018, the DSGVO, which states in Article 4 that online identifiers that can be used to identify individuals must also be regarded as personal data and protected accordingly, has been in effect since then.

Agreement to set cookies

The lottery leading to the current procedure took place in 2013. At that time Planet49 GmbH organized an online competition. On this website a box was placed, which asks the user if he agrees to cookies being set. The difference to other websites was that this box was set from the beginning. This means that the user had to click on the box to oppose the setting of cookies.

The German Federal Association of Consumer Organisations (VZBV) filed a complaint against this action and demanded that Planet49 cease and desist. So far, no judgement has been reached on this action, and the European Court of Justice is accordingly considering whether Planet49 GmbH’s action complies with the DSGVO.

The ruling of the ECJ

The ruling of the ECJ can be interpreted as a victory for the Federal Association of Consumer Centres (VZBV). From now on, cookies may not be set without the visitor’s consent. The Press release of the European Court of Justice states literally: “With today’s ruling, the Court of Justice decides that the consent required for the storage and retrieval of cookies on the visitor’s device of a website is not effectively given by a preset checkbox, which the user must deselect to refuse his consent.

By this judgment, the widely-used procedure is :”Our website uses cookies. We assume your consent if you use our site “, no longer valid and must be adapted.

If you wish to use cookies for your website, you must take the following points into account in future, which must be recognizable on the cookie banner:

  • what information is stored with this cookie (e.g. search terms on the website)
  • for what purpose this data is processed (e.g. analysis of visitor behaviour)
  • whether third parties have access to this data (third party cookies)
  • a link to the privacy statement must be listed

In addition to these points, the visitor must have a choice as to whether he or she agrees with the cookies mentioned. In addition, the visitor must clearly agree that if the visitor does nothing, no cookies will be set.

Photo of author

Jan Hörnemann

Ich bin Jan Hörnemann, TeleTrust Information Security Professional (T.I.S.P.) und seit 2016 leidenschaftlich in der Welt der Informationssicherheit unterwegs. Mein Master of Science in Internet-Sicherheit hat mir ein fundiertes Verständnis für verschiedene Aspekte dieser Branche vermittelt, das ich in meiner laufenden Promotion kontinuierlich ausbaue. In der AWARE7 bin ich Chief Operating Officer und Prokurist, gleichzeitig koordiniere ich die Abteilungen "Informationssicherheit" und "Offensive Services" und sorge dafür, dass alle Projekte reibungslos ablaufen.