German Privacy Regulators Urge Government To Strengthen Cookies Consent Requirement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

Feb. 20 — The German Conference of the State and Federal German Data Protection Authorities Feb. 18 made public a resolution asking the government to strengthen the requirement that website operators request users' permission before tracking their online activities with cookies.

In a Feb. 18 statement, the conference called on the German government to implement the resolution, which was adopted Feb. 5, into national law.

It urged the government to “finally” change national law to fully adhere to Article 5(3) of the European Union e-Privacy Directive (2002/58/EC). In 2009, the directive was amended (2009/136/EC) to add cookies consent requirements.

Cookies contain snippets of information on an Internet user's computer, for example, to remember log-in details or to fill out an online shopping cart form. But cookies can also be used to track visitors from site to site, allowing marketing companies to build a profile of a potential customer and target them with specific advertising based on their behavior.

Consent Issues 

Under a strict interpretation the amendments, websites are required to inform users in the EU and obtain their permission before using all cookies and other technologies that allow the tracking of user behavior.

The Article 29 Working Party of data protection officials from the EU member states issued an opinion in June 2012, stating that users must be given specific information about the use of cookies on a website and provide consent before the use of cookies begins. But cookies necessary to carry out the transmission of communications or that are otherwise “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service” are exempt from the consent requirement, the opinion said.

In October 2013, the Art. 29 Party issued cookies consent compliance guidance that reiterated the need for user notice and consent in advance of the placement of most cookies.

Call to Change National Law 

The conference resolution said the Telemedia Act (TMG), which contains data protection provisions governing online activities, doesn't properly implement the cookies restrictions of the EU e-Privacy Directive.

The German government considers the TMG, which doesn't require visitor permission for cookies but gives users the right to object to them, to be sufficient to implement the directive.

“We request the government to strengthen Internet users' right to informational self-determination by changing the law,” Jörg Klingbeil, the state of Baden-Württemberg's data protection chief, said in a separate Feb. 18 statement.

“An operator of a website has to inform a visitor about the use of cookies right after the site is opened, and obtain explicit consent for it,” he said.

The federal data protection authority has repeatedly expressed its discontent over the government's failure to adopt the EU provisions governing cookies. “For users, this means that they can't exercise their privacy rights on the Internet to the full extent,” Federal Data Protection Officer Andrea Voszhoff said in the conference statement.

“The German legislature has to finally ensure that these rights aren't denied to Internet users any longer,” he said.

To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editor responsible for this story: Donald G. Aplin at

The resolution is available, in German, at