Liability for the Use of Cookies Without Prior Consent
The Higher Regional Court of Frankfurt am Main addressed in a ruling (Case No. 6 U 192/23, judgment of July 25, 2024) the responsibility of an international technology corporation in connection with the use of cookies on websites. The underlying proceedings examined whether and to what extent companies are liable for data protection violations that occur during the integration of their services into third-party websites.
Background of the Proceedings
Facts of the Case
In the case in dispute, an operator of a website used an embedding solution from a U.S. software company on its site, which automatically set both technically necessary and unnecessary cookies. In this specific case, there was neither an effective consent management nor consent provided by the users for the use of these cookies. An organization representing consumers’ interests subsequently filed a lawsuit for violations of applicable data protection law and competition law.
Complaint Path and Previous Proceedings
In the first instance, the Regional Court took the position that liability for illegal cookie tracking was essentially attributable to the embedded software solution, not to the company using the solution on its page. In the appeal process, the Higher Regional Court examined whether the provider of the software service, in this case Microsoft Ireland Operations Ltd., also has direct joint responsibility in terms of the General Data Protection Regulation (GDPR) and competition law.
Key Statements of the Judgment
Provider Bears Joint Responsibility as a (Joint) Controller
The Higher Regional Court believes that the relevant European regulation – specifically Article 26 § 1 GDPR – provides for joint responsibility between service provider and website operator for the processing of personal data through cookies. Crucial to this is that both parties could influence the data processing operations. In this context, the court noted that the defendant software division of Microsoft had independently set the key specifications for cookie implementation and potential data transfers to third parties.
Obligation to Actively Obtain Consent
Furthermore, the decision affirmed that for cookies that are not necessary for the technical operation of the site, prior informed consent from users must always be obtained. In the absence of an effective consent management, there is a violation of § 25 TTDSG.
Relevance for Competition Law
In addition to data protection law consequences, the ruling also sees liability on the part of the service provider in terms of competition law. Users are disadvantaged in shaping their privacy through uncollected consents. This opens up the possibility of enforcing violations through competition law actions, including injunctions.
Conclusion and Outlook
The judgment of the Higher Regional Court in Frankfurt am Main has further specified the requirements for the data protection-compliant use of cookies and underscores the joint responsibility of service providers and operators in complying with the GDPR. The proceedings are legally concluded; as far as known, an appeal to the Federal Court of Justice is not permitted.
For companies and operators of digital services, the obligations to obtain explicit consents and to meticulously design embedding solutions are thus further tightened. For further questions in the area of data protection law, a profound legal assessment of the individual situation is recommended. More information and the possibility Legal Advice on Data Protection can be found on the website of MTR Legal Attorneys.
