Is social media analytics dead

Important ECJ ruling on cookies: Are Google Analytics and online marketing now at an end?

(70 ratings, 3.83 out of 5)

Hardly a week goes by without new messages about cookies, tracking, Google Analytics and consent solutions. A GDPR without specific regulations. A CJEU ruling that states that tracking cookies can only be set with the express consent of the user. 12 individual press releases from the state data protection officer on this topic. How can website operators still track legally compliant? Here you will find the current status with specific tools and tips for implementation ...

 

1. Google Analytics and cookies before the GDPR
2. Google Analytics according to the GDPR
3. Tracking cookies according to the current ECJ rulings
4. Which consent tools do we recommend?
5. Do not forget to adapt the data protection declaration
6. Checklist for Consent Tools
7. By when / by when does the consent solution have to be implemented on websites?
8. Is there really no solution without consent?
9. How does eRecht24 implement the consent?
10. Update: What exactly do the data protection authorities say?
11. The most common questions and answers

The most frequently asked question in the last few months was: Why doesn't eRecht24 present the one simple and legally secure solution for the cookie / tracking problem? Simple answer: Because there is unfortunately no such ONE solution:

1. Legally, a lot is still unclear. And it is of little use to a website operator if he has to read every week: “Another new cookie judgment that hardly anyone understands and is practically impossible to implement”.

2. Because changes in the area of ​​consent, cookies and analytics have far-reaching consequences for the business models of companies and website operators. And these cannot be changed on a weekly basis or simply reversed.

3. Because we do not want to limit ourselves to statements on the legal side, but always want to propose solutions that are technically, economically and practically feasible.

Legally it would be easy to say: "Tracking cookies may only be set with express, informed, verifiable and revocable consent.".

This statement is legally 100% correct. However, it will practically not help most companies. Much more important is: How can you actually implement these requirements?

1. Google Analytics and cookies before the GDPR

Before the GDPR, the legally secure integration of Google Analytics was possible under certain conditions. AV contract, IP anonymization, working opt-out solution, etc.

As far as cookies are concerned, there was one Germany (for very complicated legal reasons that we do not explain here) that an opt-out is sufficient for third-party and tracking cookies. The user was informed via a cookie banner, but the cookies were set anyway. The user then had to contradict somehow.

However, after the last ECJ rulings, both are no longer possible.

2. Google Analytics according to the GDPR

With the introduction of the GDPR, it was often pointed out that "tracking" is only regulated by the ePrivacy Regulation and that website operators can refer to the legitimate interest in Article 6 (1) (f) of the GDPR until then.

However, we are currently aware of the first threats of fines from data protection authorities in connection with Google Analytics, Criteo and Double Click. No fines have been imposed yet. So far, there have only been threats of fines by the Bavarian and Lower Saxony data protection authorities.

The upcoming ePrivacy Regulation will also no longer allow third-party tracking cookies to be used indefinitely without consent.

3. Tracking cookies according to the current ECJ rulings

In the last few weeks there have been several rulings by the ECJ dealing with these questions. In a nutshell: Tracking cookies may no longer be set without the users' real consent. It does not matter whether the cookies actually store personal data or whether only anonymous data is stored.
However, not all cookies are affected. So-called first party cookies, which are required for a website, are also allowed without consent. These are for example:

  • Shopping cart cookies
  • Cookies for logins
  • Cookies that relate to a country or language selection
  • Cookies that set consent tools for cookie consent

The current discussion is essentially about marketing and tracking cookies. We therefore recommend using Google Analytics & Co. only with prior consent via a consent tool.

4. Which consent tools do we recommend for consent?

Usercentrics

The Consent Tool from Usercentrics is an individual professional solution that can normally cost several hundred euros a month. The Consent Tool works for most website types regardless of the CMS used.

We can offer all eRecht24 Premium users a solution from Usercentrics that Included exclusively in eRecht24 Premium at no additional cost is and currently implements the 50 most important tools such as Google Analytics, Facebook Pixel, GoogleMaps, YouTube, Xing, Twitter and Google TagManager.

With this solution, eRecht24 Premium users save a lot of money:
https://www.e-recht24.de/lösungen/

Since the tool works independently of a CMS on as many websites as possible, you need some programming know-how for the correct integration.

Borlabs Cookie: PlugIn for Wordpress

If you work with WordPress and want to use a plug-in, we recommend Borlabs Cookie. We have one with Benjamin Bornschein, the CEO and developer of Borlabs Cookies Discount of up to 45% for eRecht24 Premium users agreed:
https://www.e-recht24.de/lösungen/

As an agency member, you can also use the discount offer for your customers' websites.

Consent Management Provider (CMP)

The "Consent Management Provider" tool also works independently of a specific CMS, so it is not limited to Wordpress, for example.

There is a free version with some restrictions and up to 10,000 page views / month. For the paid version, eRecht24 Premium users receive a 25% discount.

What do I do if none of these solutions appeal to me?

There are of course numerous other providers, all of which have certain advantages and disadvantages. Regardless of whether for technical, economic or legal considerations:

If you cannot find a solution on the market that meets your requirements, the only thing left is to have a solution developed for your websites and services yourself.

5. Do not forget to adapt the data protection declaration

If you use consent tools, you must also adapt your data protection declaration. We have already included a passage in our premium data protection generator for companies for all three of the consent tools presented:
https://www.e-recht24.de/lösungen/tools/projekt-manager/

6. A checklist for consent tools

Regardless of which consent tool you choose, please check whether these requirements are met:

  • The consent must be given by the user and must not be ticked by default
  • Before giving consent, the tool must block all cookies (except for the Consent Tool's own cookie)
  • Cookies may only be set after the consent of the user
  • Each tool must be named individually in the consent box
  • The consents can (according to the current status) be summarized in groups and do not have to be declared individually for each tool
  • Present your consent tool in your privacy policy

7. From when / until when does the consent solution have to be implemented?

The current ECJ judgment (advertising consent Planet49) of October 1, 2019 does not decide the original case, it goes back to the BGH for the time being. Just like the ECJ case on the Facebook button (Fashion ID) first goes back to the Düsseldorf Higher Regional Court.

But: The German courts will adhere to the requirements of the ECJ in their judgments. And the data protection authorities will probably also follow this view.

That is why there are no fixed deadlines for implementation. But you shouldn't take too much time, as the opinion of the ECJ has been clear since October 1, 2019.

8. Is there really no solution without consent?

But. Perhaps. But probably only with a lot of manual effort and not without legal risk.

For example, one question is whether tracking is still possible without consent, for example via locally integrated services such as Matomo. Or whether the ECJ rulings also affect a service like eTracker, which currently assumes that no separate consent is required for its tracking.

In addition, there are complex manual solutions for your site or your individual CMS, which individually prevent unsolicited data transmission through the countless tools and plug-ins on websites. You can find an example of how the implementation for a Wordpress website can look like here:
https://raidboxes.de/dsgvo-wordpress-technische-masshaben/

9. What does eRecht24 do?

  • We have consistently used the GDPR to remove services that access user data without being asked.
  • When it comes to social media, likes and shares on Facebook, Twitter, LinkedIn, Xing & Co., we use our safe sharing tool:
    https://www.e-recht24.de/erecht24-safe-sharing.html
    When "entering" the website, no data is transmitted to the social media platforms.
  • As far as tracking is concerned, we have decided not to use Google Analytics at the moment.
  • We check whether solutions like eTracker can still be used without consent.
  • For the consent on the eRecht24 website, we also use the Usercentrics solution integrated in eRecht24 Premium.

10. Update: What do the data protection authorities say about this?

The data protection authorities have published 12 individual (!) Press releases on the subject of “Cookies, Tracking Tools and Consent” in a “wraparound”. Each of the 12 federal states in its own communication. Each of the 12 authorities with different and sometimes different arguments.

The basic message is the same for all of them: Services that evaluate and use the data of the website operator like Google Analytics are only allowed with consent. With or without cookies.

Here you can see the view of "your" data protection authority on the question of cookies, tracking and Co.:

Bavaria
https://www.lda.bayern.de/media/pm/pm2019_14.pdf

Berlin
https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191114-PM-Analyse_Trackingtools.pdf

Brandenburg
https://www.lda.brandenburg.de/cms/detail.php/bb1.c.650416.de

Hamburg
https://datenschutz-hamburg.de/pressemitteilungen/2019/11/2019-11-14-google-analytics

Hesse
https://datenschutz.hessen.de/pressemitteilungen/einbendung-von-drittdienstleistungen-diensten-webseiten-und-apps

Lower Saxony
https://lfd.niedersachsen.de/startseite/allgemein/presseinformationen/google-analytics-und-ahnliche-dienste-nur-mit-einwilligung-zulassig-182595.html

NRW
https://lfd.niedersachsen.de/startseite/allgemein/presseinformationen/google-analytics-und-ahnliche-dienste-nur-mit-einwilligung-zulassig-182595.html

Rhineland-Palatinate
https://www.datenschutz.rlp.de/de/aktuelles/detail/news/detail/News/google-analytics-und-aehnliche-dienste-nur-mit-einwilligung-nutzbar/

Saarland
https://www.datenschutz.saarland.de/ueber-uns/aktuelles/nachricht/pressemitteilung-vorsicht-bei-einberung-von-analyse-diensten-auf-websites-website-betreiber-soll/

Saxony
https://www.saechsdsb.de/presse/597-presseerklaerung-vorsicht-bei-einbendung-von-analyse-diensten-auf-websites-website-betreiber-sollten-ihr-angebote-ueberpruefen

Schleswig-Holstein
https://www.datenschutzzentrum.de/artikel/1302-Achtung,-Webseiten-Betreiber-Bitte-Einbichtung-von-Analyse-Diensten-ueberpruefen.html

Thuringia
https://www.tlfdi.de/mam/tlfdi/presse/191114_pressemitteilung_zu_google_analytics.pdf

11. FAQ

Are there different cookies or types of cookies?

Yes. So-called first party cookies, which the website operator sets himself, for example for login settings or shopping carts. These cookies are not transferred to other companies. Then there are third party cookies. These cookies are set by external providers and are transmitted and evaluated for marketing and tracking purposes.

Are cookie banners still sufficient or do I have to use a consent banner / consent tool?

A mere cookie notice banner is not enough. Site operators who use cookies for advertising and tracking purposes must integrate a consent solution via a consent tool.