Cookie policy explained

A box for the Cookie policy consent compliance can be found on most websites nowadays. Often, the text is placed in a strikingly colored text box at the top of the logo area or at the bottom of the footer area. The text informs the visitor in more or less detail that the website uses cookies and that the visitor agrees to the use of cookies by clicking on “OK” - which represents an opt-in. Additionally the visitor can also read the privacy policy.

Is such a cookie note mandatory in Germany?
This article discusses the following aspects:

  • definition of cookies,
  • which types of cookies are used,
  • which cookies are used in Google’s web services
  • what Google has to do with the whole story,
  • the explanation of the terms opt-in and opt-out
  • what the legislator stipulates in the Telemedia Act on the cookies used on its own website.
  • a conclusion summarizes the various statements of the cookie policy statements again and brings them in a final context.

What are cookies and what forms of cookies are there?

According to Wikipedia, “cookies serve to store information associated with a website or domain locally on the computer for some time and to transmit it to the server on request” (Wikipedia, Cookie, 05.05.2017).

The cookies stored locally in the web browser can be used for technical purposes and for non-technical purposes. Internetwarriors.de say that cookies […] according to the directive are only unsolicited if necessarily for a function purpose.
The functionality of such cookies relates to the management of the user-selected language, the local storage of the shopping cart on the user’s device, or e.g. the automatic login / “stay logged in” when calling again an HTTP website, on which you have previously registered and logged in. On the other hand, there are cookies that are not technically necessary and can be used for other purposes. We’ll take a closer look at them using the cookies used by Google.

The cookie policy provides the user with the “OK” button (Opt-in). Opt-in are known from the newsletter area. E-mails may not be sent to a user without prior consent (opt-in). To make sure that ads are not being sent without consent e-mail marketing even requires a double opt-in, in which the user with a link must authenticate.

Opt-out as a rejection

The opt-out gives the user the opportunity to decline / revoke a service. This may be the refusal to use non-technically necessary cookies. Opt-out are also found in other areas such as for e-mail newsletters. By clicking on a link “Unsubscribe” placed in the footer area, the user commits an opt-out, eg. a contradiction to the further newsletter mailing.

The intent of Google’s User Agreement Policy is to present all collected data of the user and to receive a consent to the procedure.

Which cookies does Google use for its web services?

The cookies used by Google are intended for the identification of the user and serve the user and also Google. The cookies Google uses are to help users of Google products to adjust their website appearance, session status, security, analytics, processes, and advertising. Google stores cookies for regional settings, e.g. for retrieving weather reports, language setting and opt-out of a particular font size on different terminals. Google also uses security cookies to “authenticate users, prevent fraudulent use of credentials, and protect users’ data from unauthorized access.” The cookie session_status assumes the role of analyzing the interaction between a user and a web page, such as a web page. “which pages users visit most frequently and if they receive error messages from certain pages”. Even without this cookie, the website can be displayed correctly. It is therefore a technically unnecessary Cookie. The cookie for Google Analytics allows the website operator to create usage statistics. However, Google admits that “along with some of the advertising cookies described above, Google’s products, such as Google Search, as well as the entire web, are more relevant for ads.” In order to comply with this, however, advanced functionality would have to be used in analytics, for example. the retargeting has been set up. The cookies Processes are technically necessary cookies. Google uses them for proper functionality, e.g. from Google Docs.
Google also uses cookies for Advertising. Google makes (abbreviated and translated) the following statements:

Cookies are usually used to improve […] campaign performance reporting or to prevent a user from seeing the same ads multiple times. […] For example, we use cookies to track your recent searches […] This way we can show you personalized ads on Google.

Our main ad serving cookie for non-Google sites is id or IDE. It is stored in browsers under the domain doubleclick.net. […] Other Google products, such as YouTube, may also use these cookies to select more relevant advertisements. Sometimes a cookie is set for ad specs for the domain of the visited web site. For our DoubleClick product, a cookie called “gads” may be set for the domain of the website you are visiting. […] Google also uses conversion cookies, which are primarily intended to help advertisers identify how many of the users who click on their ads […] are not used by Google to target personalized advertising and stored for a limited period of time. We use a cookie called “Conversion” […] We also use cookies called “AID” and “TAID” to link your activity to different devices if you previously signed in to your Google Account on another device. This is used to co-ordinate advertisements that are displayed on different devices for you, as well as to measure conversion events.

Which cookies need to be pointed out

[…] Website-operators […] need according to hosting.1und1.de […] the consent of the user. This applies to all cookies, […] especially advertising cookies that are used for retargeting […]. One such advertising service is [Google Adsense] (https://www.google.com/adsense/login/en/ “), which uses products and services from other websites to promote its use, which is a classic case of individualized advertising by setting Cookies.

The analysis service Google Analytics looks a bit different again: The service uses the cookie to represent the user behavior of returning users on their own website. User IPs can be anonymized Google Analytics IP-anonymized.
In this case, the data can not be used for advertising marketing because the obtained user data is anonymized and cannot be allocated anymore.

How can these statements now be reconciled with the Teleservices Act (TMG)? The Telemedia Act sometimes mentions the following three important points.

The Telemedia Act and the notification of the user about data storage

that users are […] to be informed comprehensibly and comprehensively about data storage. This requirement can easily be met by a corresponding note in the privacy policy.

For example, the Telemedia Act regulates usage data for market research purposes

The Telemedia Act states in §15 Abs.5 that for the purposes of market research of others […] anonymized usage data may be transmitted to service providers. For the purposes of the analysis, data obtained can be transferred anonymously without any problems if implemented accordingly.

The Telemedia Act and the possibility of objecting to data storage

The Telemedia Act stipulates that users can object to data storage. Such a contradiction is called “opt-out”. In the past, an opt-out as a link in the privacy policy was sufficient for Google Analytics. There are implementations to enable the opt-out of the privacy policy. For this the embedded code has to be modified a bit. At present, many implementations of the Cookie Notice are just a text box containing information about the use of cookies. The visitor must agree if he wants to use the page or leave the page otherwise. The cookies are set on many websites but also without the opt-in. The opt-in consent should also be technically implemented, thus e.g. Tracking with Google Analytics does not start until your consent (opt-in). Such very accurately translated data protection websites have been criticized by users already.
Website visitors should be informed as user-friendly as possible about the use and disapproval of cookies. What this could mean in concrete terms was explained by the EU Data Protection Commissioners of the “Article 29” group at the end of 2011 (source: Heise Verlag; https://www.heise.de/newsticker/meldung/Google-verpflichtet-Adsense-Nutzer-auf-Cookie-Hinweis-2765082.html">Google-committed-Adsense-user-on-cookie-note; 08.05.2017).

So far it was assumed that cookies could be used only after an explicit consent. As Heise reports, the European Data Protection Supervisors working with the Article 29 Group for the Creating the rules for obtaining consent to the use of cookies softened, so that only an implicite consent is required.
As justification is called that meanwhile the […] necessary consciousness developed, not least because of the on many British web offers unavoidable banners and pop-ups to use the files (Heise; https://www.heise.de/newsticker/meldung/Britische-Datenschutzbehoerde-weicht-Cookie-Regeln-auf-1797116.html">British DPA Dodges Cookie Rules on; 08.08.2017). Previously, the UK DPA had pushed for greater attention to the new EU rules.

The site of the British inspector himself now only shows an info box at the first visit at the bottom that cookies are used. In addition, visitors are referred to the Authority’s privacy policy and to information about how to control and manage the browser files. The user can click away this information or simply ignore it. They will not appear on another visit without deleting the cookie. Previously, users of the offer had to actively agree to the setting of the file and click an eye-catching appropriate explanation.

(Heise; British DPA Dodges Cookie Rules ; 08.08.2017)

Further reading tips:

Categories: