by Gabriel Avigdor

Have you ever heard about dark patterns and deceptive designs in the context of a cookie banner and compliance with the e-Privacy directive? No? Then, this court case might be a good opportunity to learn about it. A court case issued by the Landgericht Rostock (pdf in German) on 15 September 2020, ref. 3 O 762/19 (summary in German and very good analysis in English here), which I will comment in this article.

Cookie compliance is a complex area at the intersection of technology and data privacy. What makes it more complicated in the EU, is that cookie law refers to both the e-Privacy directive (cookie directive) and the GDPR. The fact that the e-Privacy is a directive means that it requires implementation is each EU country. Guidance and interpretation can still differ from each EU country, while all industries are waiting for the e-Privacy Regulation to get finalized. 

_______________________________

THE ADVOCADO CASE EXPLAINS HOW TO DESIGN A COOKIE BANNER

A quite important German Court Case on data privacy and cookie banners (let’s call it “Advocado” case) was recently issued in the field of cookie compliance.  This ruling explains in more details the way cookie banners have to be designed. Maybe we should say: it clarifies how cookie banners should not look like! The German judgement also takes the opportunity to provides some more information about how transparent with users website operators shall treat their joint controllership relationship with third parties. In that context, website operators should take care of informing users about third parties’ plugins appropriately to avoid infringing the law.

In this court case, the German court first confirms where consent is required, which is in particular the case for non-essential cookies. This is not really new since the Planet49 ruling issued by the EU Court of Justice on 1 October 2019. Under Planet49 case law, the ECJ issued a long awaited clarification ruling about essential VS non-essential cookies, although many questions still remained unanswered. Platet49 mainly addressed the following elements (among others):

• consent is required for all non-essential cookies
• zero cookie load
• no pre-ticked boxes are permitted
• collecting personal data is not relevant for cookie compliance
• GDPR consent requirements (and fines) apply in the context of cookies (see below summary of recent cases)

With those statements, controllers have to take clear actions for cookie compliance and, where necessary assess their banners, cookie notices, map their practices with third parties and modify them appropriately.

_______________________________

WHAT THE ADVOCADO CASE SAYS

Advocado Gmbh is a company which uses a website to offer an online service that helps people find a lawyer. The cookie banner configured on the website initially provided several pre-ticked boxes. This means that all boxes, including non-essential cookies, were activated by default. During the trial, the company changed its practice to propose an accept all / deny all banner, where the “accept all” banner was highlighted in flashy green and the “deny all” in a light grey. Obviously non-compliant one may say?

What is interesting in this German court case, is that the judgement not only explains that consent is required for non-essential cookies, that zero cookie is necessary or that it should be granular. This should be known by all website operators. It explains in more details how controllers shall design their cookie banners.

The end of dark patterns

The Landgericht Rostock explains how to remain transparent, fair, unambiguous and concise, in the short summary box that controllers / website operators have to display in first cookie banner pop-up. The first text that is displayed in the cookie compliance pop-up is very often used by simply copying and pasting information from other websites. Well, think twice before considering doing this. Especially if you use such cookies to share data, for marketing purposes or to use targeted Ads, this activity is more risky and intrusive. Data Protection Authorities are now very sensitive to every bit of text included in banners, they look at cookies notices, consent management tools and are scanning actively websites for compliance!

The explanations of the court especially bans bad practices that would constitute “dark patterns” to avoid deceptive reactions from users. With dark patterns, a cookie banner is designed is such a way that, although it provides certain degree of choice, it remains misleading by suggesting users to consent to cookies and, thus, influence their choice to a more intrusive activity.

_______________________________

KEY TAKEAWAYS FROM THIS RULING

In this judgment of 15 September 2020, ref. 3 O 762/19, the Federation of German Consumer Organisations (vzbv) filed a complaint against “advocado”, an online service that helps people find a lawyer. The court found that:

1. Using tracking technologies for analysis and marketing purposes requires consent.

Especially, this applies when collecting personal data to share it with third parties.

• This is interesting to read that Google analytics cookie requires consent. Not explicitly, it suggests, that if Google Analytics does not transmit any personal data to other websites, consent requirement may not apply. The reason is that there may likely not be a risk for the rights and freedoms of data subjects. This is a position that may work in Germany and validated by other data protection authorities, such as in France. This is also the position of the Swiss Commissioner. However, this a concept and a rule that requires further harmonization and clarity. When using analytics cookies, I strongly recommend to read each relevant EU country latest guidance from data protection authorities. For Germany, you may have to read the guidance from each of the 16 German Data Protection Authority. It may provide with stricter rules, including consent for analytics cookies even where no personal data is processed. You should not assume that aggregate analytics is always exempt from cookie compliance and assess on a case-by-case.

2. Cookie banners that have all pre-ticked boxes, even if a user can deselect them and chose “see more”, are unlawful.

3. It is unlawful to use cookie banner using accept all / deny all options, when highlighting the “accept all“, and pre-loading cookies.

This requires to apply the following recommendations:

• Cookie banners and the way controllers have to provide transparency requires to design them in an equal, transparent and fair manner to comply with e-Privacy and the GDPR.
• Do not copy paste the content of a box from another website without analyzing what your website is actually doing, collecting and placing in terms of cookies. Instead, suggest privacy-default choices (less intrusive choice) and explain clearly what this means for users
• Do not use colours to highlight what you would like users to click on. Influencing the choice of users would likely constitute a prohibited dark pattern that may be unlawful some EU countries.
• Clicking on an “Accept All” button should not mean that all cookies have been pre-selected or that non-essential cookies are already loaded.

4. Confirmation that Google Analytics and the Facebook pixel means Joint Controllership (art. 26 GDPR).

5. Failing to provide the essence of the contract with Google and Facebook is against the GDPR.

Joint controllership means that both parties, the website operator have clear obligations together. The controller and the third party are jointly responsible to explain to the user what is the purpose of the processing of personal data, and the “essence of the arrangement” of using such plugin.

According to the Landgericht Rostock, users must receive a copy of the “essence of the arrangement” between the website owner and those third parties. This apply when integrating third-party cookies transmitting personal data. Since third-party providers (also) process personal data for their own purposes the court considered Advocado infringing privacy laws. It failed to comply with its obligation to provide information about the essence of the joint controllership agreement. This obligation applies when integrating the Google Analytics cookie on a website, which is a third partie cookie.

• This is pretty significant and will be difficult in practice for most small to mid-size website operators to make this effort and do it on their own in compliance with art. 26 of the GDPR.

6. The burden lies with the website operator to demonstrate compliance (burden of the proof)

The website operator has to show that it uses it with a design that complies with data protection laws. This includes third-party plugins, such as Google Analytics or Facebook pixels. Those are important points for the industry to take into account. Also, it is worth noting that,  contrary to what one might think, cookie compliance is not that obvious in Germany in particular from an enforcement perspective. Reading the above commentaries show that Germany may not be the strictest country in this sector. See below more information about recent case law on cookie compliance, the e-Privacy directive and sanctions issued by data protection authorities.

_______________________________

RECENT COURT CASES ON COOKIE COMPLIANCE E-PRIVACY & GDPR

We already commented that authorities warned AdTech industries about compliance on this matter. Not only are they now actively scanning websites, but also enforcing the law. In France, the CNIL issued three fines late 2020 for breach of the e-Privacy directive and the GDPR for unlawful use of cookies.

Amazon.fr fined €35M by the CNIL:

In this case, Amazon violated both the French Data Protection Act and the GDPR (informatique et libertés), which is the implemention the e-Privacy directive, about:

• poor information in the cookie banner about the use of Ads
• no real way to object to the cookies, and
• many cookies were loaded before consent was provided

Google.fr fines up to €100M by the CNIL: Google violated the French law, for:

• Google used cookies for advertising purposes and placed them automatically on users’ computer, without requesting any action on his or her part
• lack of information provided to the users of the search engine google.fr
• partial failure of providing the « opposition » mechanism,

Carrefour.fr fined €3M by the CNIL: 

This case is not specific to cookies and there are other infringements to the GDPR.

Here, Carrefour placed Google Analytics and other tracking technologies and cookies on its French site Carrefour.fr. The CNIL found that Carrefour did not use Google Analytics exclusively to enable or facilitate electronic communications. This means that Carrefour did not use it strictly necessary for the provision of the service.

In particular, Carrefour used such analytics cookie together with Google Ads to measure the conversion rate of users. Carrefour then pushed Ads with a better auction in order to monetize this activity done by tracking the user’s navigation. It is worth mentioning that the CNIL considered the violation for the use of such cookies and Google Analytics on art. 82 of the French data protection Act, implementing the e-Privacy Directive, but calculated the fines under the GDPR.

_______________________________

CONCLUSION

Cookie law is a complex matter, that has not reached harmonization yet. This ruling and other recent cases in France demonstrate the importance of cookie law. It has become an important and requires due care to protect user’s use of electronic communications. 2021 will be an important year to observe the privacy landscape. In particular, every awaits the enactment of the e-Privacy Regulation to harmonize what has become a difficult area.

I anticipate 2021 and 2022 years of Data Protection Authorities. Also we may see more innovation in the cookies and consent management tools sector. Data Protection Authorities are showing tech giants and Adtech companies that monetizing EU personal data requires compliance. Without such compliance with cookies privacy rules, the use of tracking technologies may not be the best idea.

We are  seeing initiatives to advertise privacy as a marketing advantage, such as Safari blocking cookies by default apple devices. Will this become the next trend? Is this for the good of consumers or for the benefit of large organizations that do not need competitors? What about abuse of dominant positions encouraging to increase certain GAFAM’s monopoly?

Interesting to see how the cookie banner design will influence the use of tracking technologies!

__

By Gabriel Avigdor, CIPP/E

NTIC.ch

cookie bannerCookiese-privacy directiveeprivacyGDPR