Germany

Can you place cookies without consent?

No. Section 25 par. 1 of the Act Regulating Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) in conformity with the Directive 2002/58/EC (e-Privacy Directive, also see Planet 49 case (no. I ZR 7/16) of the German Federal Court of Justice – “Bundesgerichtshof”):

  • Storage of information in the end-user’s terminal equipment or access to information already stored in the terminal equipment shall only be permitted if the end-user has consented on the basis of clear and comprehensive information.
  • End-user information and consent shall be provided in accordance with Regulation (EU) 2016/679.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes.

Are there any exemptions if consent is required?

Yes. Sec. 25 par. 2 TTDSG

No consent required:

  • if the sole purpose of storing information in the end-user’s terminal equipment or the sole purpose of accessing information already stored in the end-user’s terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
  • where the storage of information in the end-user’s terminal equipment or the access to information already stored in the end-user’s terminal equipment is strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Necessary cookies, yes.

i. Analytics cookies: No
ii. Advertising cookies: No
iii. Social media cookies: No
iv. Performance cookies/functionality cookies: No 

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No.

Can you set cookies without a cookie notice? 

No.

Section 25 par. 1 sentence 2 TTDSG (since 1 December 2021).

Can you set cookies without a cookie banner/ management tool?

No. According to some German DPAs, a cookie management tool may be avoided if only necessary cookies are used, the transparency requirements remain applicable. 

Are you able to use cookie walls? 

In principle yes, but there is guidance from the Data Protection Conference (DSK – the joint body of German DPAs) that needs to be taken into consideration. In the context of cookie walls the DSK inter alia stresses that:

  • if a tracking-free model is offered as an alternative, even if it is a paid option, tracking can be based on consent. However, the paid model must provide an equivalent alternative to the benefits obtained through consent. Such consent must meet GDPR’s requirements; and
  • whether a payment option, such as a monthly subscription, can be considered as an equivalent alternative to consenting to tracking depends on whether users are provided with the same level of access to the service for a market standard fee. Typically, an equivalent access exists when the offers include, at least in principle, the same benefits.

That if multiple processing purposes significantly differ from each other, granular consent must be obtained from the data subjects. This means that they must have the ability to actively select and consent to individual purposes (opt-in). Only when purposes are closely related bundling of purposes may be considered in the consent form. A blanket consent for various purposes is not deemed to be valid by German DPAs. 

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes.

Cookie rules have not been heavily enforced recently. However, we are seeing and handling more and more enforcement and DPA actions, particularly on the use of cookies and similar technologies. Several German DPAs conducted a joint audit on the use of advertising/ tracking cookies in different sectors (with possible fines/ warnings which are not entirely public yet). Note that the majority of DPA enforcement actions/investigations are not made public (i.e. we assume that many proceedings are ongoing).

It should also be noted that, besides regulatory actions, more and more users (both B2B and B2C) are familiar with the cookie (consent) requirements. Thus, we are seeing and handling more and more cease and desist letters (“private enforcement”). Also the question of whether incompliant cookie set-ups may be subject to damage claims is controversial and a topic of discussion in Germany, but we have seen first proceedings in this respect.

Are there any current consultations relating to ad tech/cookies?

This topic forms part of the above-mentioned audits in question 9. 

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

On 1 December 2021, the TTDSG came into force (implementation of the cookie rules of the e-Privacy Regulation and consideration of the case law of the Federal Court of Justice (ref. I ZR 7/16) and the European Court of Justice – “CJEU” (ref. C 673/17) – Planet49. As a result, we see a clear focus of the German data protection authorities regarding the enforcement of the use of cookies. In addition, there are more and more private enforcement proceedings.