Cookie handling following the ECJ ruling
Cookies: Concept and configuration in toujou
»ECJ: No cookies without consent« – Really?
The European Court of Justice published its decision on 1 October 2019, and that same morning, superficial headlines reading essentially »ECJ: No cookies without consent« were imprinted on the consciousness of all website operators. Really, such a pity because everyone likes cookies and they’re indispensable for the advertising industry on the internet. However, neither are of any importance to the operation of a regular website.
The verdict: knowing what it was all really about
»On 24 September 2013, Planet49 organised a competition on the website www.dein-macbook.de for advertising purposes.« For the competition, personal data was collected on a form and a pre-checked checkbox was used to release this data to all partners of the company. One of the partners of the company was a web analysis service Remintrex which was able to use this information to set a cookie.
Anyone who has not yet read the ruling needs to understand that this was a special case, explicitly about collecting user data through a competition. And since many users were obviously sceptical – despite the prospect of winning a MacBook – the consent form was pre-checked from the start. Doesn't feel right, right? It shouldn’t in fact. This was also the opinion of the Verbraucherzentrale Bundesverband (vzbv), the Federal Association of Consumer Centres.
The association filed a complaint with the Regional Court of Frankfurt am Main (Germany), and their main goal was to have Planet49 ordered to stop demanding such declarations of consent. But so far, this doesn't sound like something that will dramatically change the web, does it? No, it doesn’t.
The verdict: What does it really say?
After protracted legal wrangling in Germany, the case was finally before the German Federal Court of Justice. There, the proceedings were suspended and questions were referred to the ECJ for a preliminary ruling. These questions can be roughly outlined: Does it make a difference whether personal data is involved or not and has effective consent been obtained under these circumstances? What information must the user receive about the cookies (duration of function, access by third parties)?
Cutting back to the verdict of the ECJ: It consists of very long box sentences full of legal clauses based on 44 paragraphs of preliminary observations (paragraphs 38-81). Without preliminary observations, the ruling has exactly three major points. If you don't want to indulge yourself, you will find the points here as: tl;dr – please take the time to read everything in full text afterwards, we only want to make it easier to get started:
Too long; didn't read:
- »(...) that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.«
- »(...) are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679.«
- »(...) that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.«
Very briefly: Consent is to be given actively and explicitly. This applies to all data. website operators must inform about the duration and access to this data. All right, makes sense. Or does it?
Google Analytics vs. your digital footprint
When the ECJ includest »hidden identifiers« in its ruling, data protection authorities write that third party services may no longer be included without consent if they can use personal data for their own purposes. This resulted in the belief that Google Analytics can no longer be used without the active consent of the website visitors. For most website operators, this makes the use of Google Analytics pointless – who would actively consent to tracking when all they want to do is to visit a website?
Here again, we are talking about personal data. If no personal data is collected, Google Analytics falls into the same category as the managed tracking via Matomo or something similar. So what exactly does Google Analytics do and is personal data actually collected?
Anonymised IP: An IP can be used to identify a user, even if the most private users have a constantly changing IP from their internet provider. Through IP anonymisation the last three digits of an IP are not stored, which makes it impossible to assign it to specific connections (source: Google).
Problem solved, right? Analytics no longer knows who your visitor is? Unfortunately this is not the case. This is where we need to look closely at other data collected and examine it logically and with common sense. Are you familiar with the Analytics statistics »returning visitors«? Analytics is obviously aware of whether a visitor has already visited your website or not, which falls into the category of a »hidden identifier«. Analytics stores this information because the corresponding cookie is valid for two years and is extended by two years with each visit – so it practically could never end. And even if Analytics doesn’t know who you are, multiple visits can be used to create a motion profile – which brings us back to personal data.
Remove »identifiers« via session cookies: The IP is anonymized and it shouldn’t be possible to identify a visitor or to create recurring motion profiles. Analytics offers a solution for this scenario by changing the »Cookie expiration« setting to 0. Once this is done the cookie will be deleted once the browser is closed. This means that your website won’t recognize a returning visitor and will not create motion profiles (source: Google).
Google uses IP anonymization and session cookies to store information anonymously and does not recognize the user – which by definition protects all data, since neither recognition nor continuous surfing profiles are created. The only »restriction« is that you will no longer see any »returning visitors« in your analytics statistics.
However, for website operators, this means collecting at least partly reliable data about the relevance and use of their own site. Of course, actively avoiding the collection of personal data is only one part of the story, since Google Chrome alone can bring far more data to Google than the analytics of a website operator can collect.
Recommendations for action and personal responsibility
Instead of blindly following the supposed recommendations for action of the press (whose main concern is for you to read their article), the IT department (who leave the decision to you), data protection authorities (who suggest that everything is evil) or data protection experts (whose advice gives meaning; more advice gives more meaning), we recommend a basic understanding of what, why and for which purpose data collection on your website is done. After all, you ultimately get to decide how to use it. And as with almost every business decision, there are different reasons behind every type of application.
In principle, we recommend collecting basic data, because at some point you will need to make statistical evaluations of your website in order to decide on the sense, quality or even nonsense of your own digital content. The more conservatively you proceed with data collection and the more you inform yourself, the more relaxed you can be about the next GDPR hype.
We do recommend a higher level of caution and more personal responsibility when it comes to using Facebook, Instagram and Co. All of these platforms offer easy ways to embed content. And while you still have a contract with Google Analytics for data processing on behalf, the integration of third-party providers usually presents a poorer picture!
Our reaction: New cookie handling in toujou
Following the principle of personal responsibility, we would like to give you the best options for cookie handling with toujou. Without just simply giving in to the hype, we have examined the ruling of the European Court of Justice and used our expertise to form a rational approach and we have expanded our data protection configuration for Google Analytics. We’ve listed your new and improved configuration options below:
Tracking without restrictions
Please do not take this idea as a serious recommendation: Since all configurations in toujou are optional, you could of course allow for very simple website tracking. Without notice or consent. Of course, this is highly problematic and we strongly advise against this!
Regular tracking with opt-out
Google Analytics is activated from the first time a user accesses the site and the website's cookie notice gives them the direct option of preventing tracking. This information is stored in a cookie and is therefore necessary information. This opt-out method works for all devices!
Since the Google Analytics cookie is stored for two years, even with an »opt out« there is still a possibility to interpret personal data because of the permanently assignable surfing behaviour that is collected on your website.
Tracking with session restriction with opt-out
This is our recommendation for using Google Analytics and how we should use tracking. Since Google Analytics is activated the first time a user accesses the site and the opt out cookie notice gives visitors the direct option to stop tracking. Better yet, this opt-out method works on all devices! The information that is stored in the cookie is still necessary information.
To avoid collecting personal data by definition, we limit the duration of the Google Analytics cookie to the current browser session. As described above, we therefore have non-assignable and one-time statistics about the visit. In contrast to an opt-in, this data is also fairly accurate and you get a basic feeling for the number of users on your website.
Tracking with opt-in
If you want to follow the recommendations of the data protection authorities, you can also use Google Analytics in toujou with the opt-in procedure. In this scenario, your visitor must actively give their consent to tracking, which gives you a clear statement of intent in the process.
In this scenario, it is also possible to restrict tracking to the current browser session. However, we consider this step unnecessary in the context of an opt-in.
This works too. If you definitely don't want to have anything to do with the notion of cookies, simply don't enter any tracking information at all. toujou won’t save a cookie, since it isn’t required. There is only one exception: if your pages require an age restriction, these settings would need to be saved in a cookie.
Judgment of the Court of Justice
»Reference for a preliminary ruling — Directive 95/46/EC — Directive 2002/58/EC — Regulation (EU) 2016/679 — Processing of personal data and protection of privacy in the electronic communications sector — Cookies — Concept of consent of the data subject — Declaration of consent by means of a pre-ticked checkbox«
IP anonymisation with Google Analytics
Technical explanation of the anonymization of IP addresses in Analytics
Session cookies via Google Analytics
An Analytics cookie with two years of storage becomes a session cookie that only applies to the visit.