Conference of German Data Protection Authorities issues guidance on tracking and cookies

…and confirms indications from Bavarian Data Protection Authority earlier this year that legitimate interests may be a valid legal basis insofar.

By Verena GrentzenbergWiebke Jakob & Stefanie Öschay

Die Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder (Datenschutzkonferenz) hält in ihrer Orientierungshilfe für Anbieter von Telemedien (Stand März 2019) zum einen an den Aussagen aus der Positionsbestimmung zur Anwendbarkeit des TMG vom 26. April 2018 hinsichtlich des Vorrangs der DSGVO fest. Zum anderen prüft die Datenschutzkonferenz in Betracht kommende Rechtsgrundlagen nach der DSGVO für Tracking und Cookies. So sei die Nutzung von Cookies nicht per se einwilligungsbedürftig.

The Conference of the German Data Protection Authorities (DSK) confirms its view on the applicability of the GDPR over the German Telemedia Act (TMG) in the latest guidelines for telemedia service providers as of March 2019. At the same time the DSK reviews possible legal bases under the GDPR for tracking and cookies explicitly stating that consent is not per se required for the use of cookies.

Back in April 2018, the DSK had published a position paper on the applicability of the TMG to non-public companies as of the entry into force of the GDPR, stating that the processing of data in connection with tracking tools always requires informed consent. In that respect, the German data protection authorities had decided to consult affected trade associations and companies. The guidelines recently published in March 2019 are a reaction to the results of the consultation process and complement the 2018 position paper. Besides, they are intended to be guidelines for implementing data protection requirements for the processing of personal data in the context of telemedia services.

Applicability of GDPR for telemedia services (e.g. tracking)

The DSK defines “tracking” as the processing of personal data for the purpose of monitoring individual behavior of users, usually across websites. It hereby refers to several publications of European supervisory authorities.

Although the TMG is still in force in Germany, the DSK repeats their earlier opinion that the GDPR holds precedence in the provision of telemedia services. Sections 12 to 15 (especially the “opt-out” provision in section 15 (3)) of the TMG are not applicable in conjunction with Article 95 GDPR as they do not implement the ePrivacy-Directive into German national law. Moreover, the GDPR does not contain a respective opening clause that would lead to the applicability of section 15 TMG. Therefore, the processing of personal data in connection with cookies and tracking functionalities is only lawful if there is a legal basis under the GDPR (i.e. one of the conditions of Article 6 (1) must be fulfilled).

Legitimate interests as possible legal basis for tracking

In our blog post in March we analyzed a latest statement of the Bavarian Data Protection Authority (DPA) on cyber security as well as the use of cookies and tracking mechanisms on websites. According to the DPA, companies making use of cookie banners would assume that consent must be obtained from data subjects as a legal basis. By choosing consent as legal basis but not obtaining valid consent, their processing might be unlawful. By that, we understood that the DPA indicated that consent was not the only possible legal basis – if consent was the only applicable legal basis, there would be no doubt that the use of the tracking tools would be unlawful in the case of invalid consent.

In its latest publication, the DSK now confirms this interpretation and states that consent (Article 6 (1) lit. a) GDPR) is not always required in the context of tracking measures. In fact, legitimate interests pursued by the controller (Article 6 (1) lit. f) GDPR) can be considered as an adequate legal basis as well.

For the requirements of Article 6 (1) lit. f) GDPR to be met, a substantial documented balancing test will be necessary. Controllers need to document (1) their own or a third party’s legitimate interests (e.g. optimization of websites, re-identification of users for personalized advertising or fraud prevention), (2) the necessity to process personal data in order to meet these interests, and (3) the interests and freedoms of the users. Reasonable expectations of data subjects, opt-out possibilities beyond legal requirements, linking of data, the involved stakeholders and the duration of the tracking shall – inter alia – be taken into account. Insufficient or general findings that data processing is permissible pursuant to Article 6 (1) lit. f) GDPR do not fulfill the legal requirements. If controllers find that their legitimate interests are overridden by the data subject’s interests and that no other legal basis exists, the processing of data would only be lawful in the case of prior informed consent.

However, the DSK does not specify which tracking tools can be justified on the basis of legitimate interests and therefore do not require consent. The guidelines indicate that this especially may be the case for analytics tools with the sole purpose of analyzing website usage or measuring the range of usage and for tools that do not exchange data with third parties or at least do not allow the third party to use the collected information for own purposes, namely to merge it with own information.

Tracking requiring consent according to the DSK

The DSK clarifies that “the use of cookies does not require consent per se” (because the cookie consent requirement from the ePrivacy-Directive has never been transposed into German law). Therefore, according to the DSK, cookie-banners should only be used for collecting consent if actually required, i.e. because the data processing as such cannot be based on another legal basis, like legitimate interests or – in limited cases – on performance of contract.

According to the DSK consent of the data subjects will be required for more invasive tracking tools which – inter alia – process unique identifiers such as IP- or MAC-addresses, trace user behavior in detail (e.g. logging of keystrokes), which rely on “hidden” pixels or device fingerprinting or which have consequences for content provided to users on other websites and therefore affect their right to information. Such tools shall be out of scope of the user’s expectations and therefore in the DSK’s view cannot be based on legitimate interests. Also, tracking on websites which are health related or may reveal sexual orientation like dating platforms requires consent, as this may involve the processing of special categories of data (Article 9 (1) GDPR).

Regarding the declaration of consent using cookie banners, the guidelines provide clear instructions: the banner has to show up when the user visits a website for the first time. It has to contain all the relevant information for the user’s consent. Before users give their consent, all cookies, tools and scripts that collect user data must be deactivated. Users shall be provided with a real choice, not only one “OK” button. Also, users shall be able to access the privacy notice and the website’s imprint even while the cookie banner is presented. Tracking may only start after the user has actively given consent (e.g. by ticking respective boxes). Furthermore the user must have the option to withdraw consent at any time (Article 7 (3) GDPR). However, the DSK does not illustrate how these requirements can be technically implemented.

Besides, it remains unclear whether one declaration of consent per tool will suffice or whether separate declarations will have to be obtained. The DSK hints that unless users are given the possibility to provide specific (i.e. granular) consent, their consent might be invalid.

At least the DSK provides for the important clarification that for the demonstration of consent under the accountability principle, storing of information on the user’s device without a user-id will be sufficient.

Recommendations for online service providers

Obtaining informed and valid consent for tracking tools is very challenging both for legal as well as for practical reasons. Therefore, online service providers should carefully assess whether the tools they implement on their websites or in their apps actually require consent. Sometimes, small adaptations could make the difference and may allow for a processing based on legitimate interests instead (e.g. engaging a third party service provider as a data processor; refraining from the processing of full IP addresses or device identifiers).

In particular tools for online behavioral advertising will require a careful case-by-case assessment. For such tools it can, for example, be relevant how third parties further process the data: if they accumulate large amounts of data on directly identifiable users of a social network with the tool, consent will most likely be necessary. For other tools, using cookies with a short storage period in combination with providing detailed information on how to opt-out respectively prevent cookies, might justify processing based on legitimate interests. Also, since cookies allow users more choices than hidden pixels or fingerprinting tools, they are preferable from a privacy perspective.

And finally, controllers should always proceed as transparently as possible when providing telemedia services, especially by providing detailed information about tools and cookies, implementing functioning opt-out options and respecting “do-not-track” choices of their users.