On May 28, 2020, the German Federal Supreme Court handed down its decision in the Planet 49 case regarding the consent requirements for the use of cookies. The decision follows the Court of Justice of the European Union’s preliminary ruling of September 10, 2019. The decision has not yet been published, but the court has issued a press release.

The court decided that the use of pre-ticked boxes was not a valid form of obtaining consent for cookies before May 24, 2018 and remains an invalid way of obtaining consent under the GDPR. The court’s decision applies the German provisions on cookies in the German Telemedia Act which it interprets in light of the EU Directive on Privacy and Electronic Communications (“ePrivacy Directive”).

According to the court, the use of cookies that create user profiles for advertising or market research purposes require consent. Consent is required even where users are assigned a randomly generated ID number and the data collected through the cookies is “pseudonymised”. Although this appears to contradict Section 15(3) of the Telemedia Act, which allows the creation of user profiles using a pseudonym for the purposes of advertising and market research “unless the user objects”, the court clarifies that this provision needs to be interpreted in line with the ePrivacy Directive. In the court’s logic, a user that has not given his or her valid consent has objected to the creation of user profiles. For this reason, the Telemedia Act is in line with the ePrivacy Directive and both require consent for the creation of user profiles used for advertising or market research purposes.

The court’s decision addresses a much-debated topic in Germany, namely whether the provisions on cookies of the Telemedia Act continue to apply after the entry into application of the GDPR. The German Supervisory Authorities are of the opinion that the provisions of the Telemedia Act do not implement the ePrivacy Directive and are, therefore, no longer enforceable because they conflict with the GDPR. According to the court, the fact that the Government has not amended abovementioned Section 15(3) of the Telemedia Act means that it is of the opinion that it transposes appropriately the ePrivacy Directive. According to the court, it is possible to interpret Section 15(3) of the Telemedia Act in a way that is in line with the ePrivacy Directive.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital…

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital Fairness Act, turning legal requirements into practical, business-friendly solutions.

In data protection, I support tailored GDPR compliance, international data transfers, and privacy-conscious marketing. On cybersecurity, I guide clients through risk assessments, incident response, and evolving laws such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I advise on existing laws to help businesses revise their terms and conditions for compliance and review online interfaces to ensure all mandatory consumer information is clearly provided, tackling issues like dark patterns and unfair contract clauses.

Fluent in multiple languages and experienced across borders, I’m passionate about helping clients embed compliance into their operations and thrive in the fast-changing digital landscape.