Cookies may only be stored on users' systems if they have expressly consented. In addition, users must be informed in detail when the cookie data is passed on to third parties. This applies regardless of whether the information retrieved is personal data or not. This was decided by the European Court of Justice (ECJ) in the case. Every website operator must now take care of the correct implementation of the judgment, because the ECJ has also made it clear that infringements can be warned.
For website operators, the following points are important:
- Website operators are always responsible for data breaches. This also applies if third parties violate data protection guidelines, but the information relevant to data protection law has been transmitted by the website operator.
- The unsolicited transfer of user data to websites violates data protection law: This applies in particular to the function buttons of social networks. If these are loaded by the user's browser from social network systems when the website is accessed, this is an unsolicited transmission.
- Competition associations may warn website operators for a fee. Avoid warnings by having your page created in compliance with data protection. NetAlive can review your site for the first time within 24 hours and show you your need for action.
- For cookies that are set for tracking or advertising purposes, real user consent is required. A cookie notice banner is not enough. It is also not enough if a cookie notice has only the option to accept. And: The user's selection must have a function. If a user decides against the storage of cookies, the website must actually take this into account.
David Bouck-Standen (M.Sc.)
Sen. IT-Consultant, NetAlive Ltd