On May 28, 2020, the German Federal Supreme Court handed down its decision in the Planet 49 case regarding the consent requirements for the use of cookies. The decision follows the Court of Justice of the European Union’s preliminary ruling of September 10, 2019. The decision has not yet been published, but the court has issued a press release.

The court decided that the use of pre-ticked boxes was not a valid form of obtaining consent for cookies before May 24, 2018 and remains an invalid way of obtaining consent under the GDPR. The court’s decision applies the German provisions on cookies in the German Telemedia Act which it interprets in light of the EU Directive on Privacy and Electronic Communications (“ePrivacy Directive”).

According to the court, the use of cookies that create user profiles for advertising or market research purposes require consent. Consent is required even where users are assigned a randomly generated ID number and the data collected through the cookies is “pseudonymised”. Although this appears to contradict Section 15(3) of the Telemedia Act, which allows the creation of user profiles using a pseudonym for the purposes of advertising and market research “unless the user objects”, the court clarifies that this provision needs to be interpreted in line with the ePrivacy Directive. In the court’s logic, a user that has not given his or her valid consent has objected to the creation of user profiles. For this reason, the Telemedia Act is in line with the ePrivacy Directive and both require consent for the creation of user profiles used for advertising or market research purposes.

The court’s decision addresses a much-debated topic in Germany, namely whether the provisions on cookies of the Telemedia Act continue to apply after the entry into application of the GDPR. The German Supervisory Authorities are of the opinion that the provisions of the Telemedia Act do not implement the ePrivacy Directive and are, therefore, no longer enforceable because they conflict with the GDPR. According to the court, the fact that the Government has not amended abovementioned Section 15(3) of the Telemedia Act means that it is of the opinion that it transposes appropriately the ePrivacy Directive. According to the court, it is possible to interpret Section 15(3) of the Telemedia Act in a way that is in line with the ePrivacy Directive.

Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection.

Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law. A significant part of Dr. Lensdorf’s practice is currently advice in connection with the implementation of the GDPR (data protection) in Europe.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.