The 5 Best WordPress Cookie Plugins in 2022 (In-Depth Comparison)
Legal situation in Germany
This blog post is not legal advice! As a blogger and WordPress expert, I have dealt intensively with applicable data protection law, but I am not a lawyer. Therefore, I cannot assume any liability for the completeness, topicality and correctness of the content provided by me.
The legal situation regarding the handling of cookies was vague in Germany for a long time.
Directive 2009/136/EG (cookie directive) passed by the European Parliament in 2009 should already provide clarity, in which an opt-in for cookies was prescribed.
However, this directive has not been transposed into German law for more than a decade, creating a legal gray area (even after the introduction of the pan-European GDPR in May 2018).
However, a judgment of the Federal Court of Justice (BGH) of May 28th, 2020, which confirmed the obligation to give consent according to the cookie directive, provided more clarity.
The judgment of the BGH was preceded by a judgment of the ECJ on October 1st, 2019.
In doing so, the BGH refers primarily to Section 15 (3) of the Telemedia Act:
(3) The service provider may create user profiles using pseudonyms for the purposes of advertising, market research or for the needs-based design of the telemedia, unless the user objects to this. […]
The last bold part is interpreted in the decision of the BGH as if the user has consented:
In the absence of (effective) consent In view of the fact that the legislator saw the Union law consent requirement implemented with § 15 para. 3 sentence 1 TMG, which according to this provision of the admissibility of the creation of usage profiles opposing contradiction can be seen.
Further details and a comprehensive FAQ can be found at Attorney Dr. swing.
What types of cookies do I need an opt-in for?
For cookies used to create user profiles for market research or advertising purposes. Because these are not absolutely technically necessary or “essential” and therefore require consent.
These include with great certainty:
- Facebook pixel
- Advertising service cookies (such as Google AdSense, Ezoic, Media.net, plista, Taboola, Amazon Native Shopping Ads, Outbrain etc.)
- Google Analytics with activated advertising functions (e.g. when using Universal Analytics with User ID, target groups, link to AdSense or Google Ads or activated reports on demographic characteristics and interests)
Which cookies are technically necessary?
In addition to advertising cookies, there are types of cookies that are not affected in the same way by the judgments of the German Federal Court of Justice and the European Court of Justice and do not require consent.
This can be inferred from Art. 5 Para. 3 of the ePrivacy Directive of 2002:
Member States shall ensure that the storage of information or access to information already stored in a subscriber’s or user’s terminal equipment is only permitted if the subscriber or user concerned, on the basis of clear and comprehensive information that he or she has obtained in accordance with the Directive 95/46/EC on the purposes of processing, among other things, has given his consent. This does not prevent technical storage or access if the sole purpose is to transmit a message via an electronic communications network or when strictly necessary for the provider of an information society service expressly requested by the subscriber or user to provide that service.
“Strictly necessary” cookies almost certainly include:
- Cookies to store cookie preferences
- Cookies to save font size or language selection
- Cookies to save the login status of a user
- Cookies to implement necessary security measures (e.g. defense against brute force attacks)
- Shopping cart cookies (Cookies that are deleted when the browser is closed, e.g. to save a shopping cart)
- Load balancing cookies (distributing the server load)
Can cookies be grouped together when consent is given?
There are no court decisions on this yet.
According to an FAQ of the LfDI Baden-Württemberg, the possibility of dividing cookies into individual categories is permitted.
In its orientation guide, the DSK also only speaks of naming the individual actors, but not of the fact that consent must be given separately for each individual actor:
For example, when you first open a website, the banner appears as a separate HTML element. As a rule, this HTML element consists of an overview of all processing operations that require consent naming the actors involved and whose function is adequately explained and can be activated via a selection menu.
Do I need an opt-in for Matomo?
In general, Matomo (formerly Piwik), if you run it on your own server, is considered to be more privacy-friendly than Google Analytics.
In addition, the analysis tool can also be used without cookies (however, user profiles are also created without cookies).
However, it depends on how you use it.
If Matomo is only used to create visitor statistics, the legal risk of using it without an opt-in is, according to lawyer Dr. Swivel low. On the other hand, if you use it to create user profiles for market research or advertising purposes, things are different.
Do I need an opt-in for Google Analytics?
As with Matomo, the first thing that matters is how you use Google Analytics:
If you have advertising features enabled (e.g. Universal Analytics with User ID, audiences, link to AdSense or Google Ads, or enabled demographics and interests reporting) then definitely.
However, if these are deactivated and you have also activated IP anonymisation, consent using a cookie plugin or another consent tool may not be absolutely necessary.
But (once again) opinions differ.
The BayLDA and the LfDI Baden-Württemberg are e.g. B. is of the opinion that Google Analytics can generally only be used with consent.
The DSK also does not consider user IDs, such as those used in Google Analytics (also independent of anonymizeIP), to be pseudonymisation:
With regard to the use of pseudonyms, it should generally be noted that the fact that users can be identified via IDs or identifiers, for example, is not a pseudonymization measure i. s.d. GDPR represents.