Judgment of the OLG Frankfurt from June 27, 2024 – Az.: 6 U 192/23
If cookies are stored on a user’s devices without their consent, not only the operator of the website can be held liable, but also the provider of the tracking software used. This was decided by the OLG Frankfurt in a judgment dated June 27, 2024 (Az.: 6 U 192/23). With this decision, the OLG has obligated a major IT corporation to refrain from storing cookies on users’ devices without their consent.
When visiting websites on the internet, users are regularly asked to agree to or reject the use of cookies. Cookies are small files stored on the devices of website visitors, such as PCs, smartphones, etc., allowing the visitor to be recognized and personalized advertising to be displayed.
User Must Consent to Storage
According to § 25 TDDDG, storing information on users’ devices or accessing information already stored is only permissible if the end user has given their consent based on clear and comprehensive information. The end user must be informed about who is accessing their device, in what manner, and for what purpose. If cookies are set without the required consent, the affected user may have claims for injunction against the website operator, according to the business law firm MTR Legal Rechtsanwälte, which also advises on IT law.
With its judgment from June 27, 2024, the OLG Frankfurt has gone a step further and decided that the provider of the tracking software can also be held liable if cookies are set without consent.
In the underlying case, the plaintiff objected to the storage and reading of cookies on their devices without consent. The defendant is a subsidiary of an IT corporation. Its service offers website operators the ability to place ads in search results and measure the success of advertising campaigns. To do this, information about website visitors is collected with the help of cookies and targeted advertisements are displayed to the visitors.
Information Stored and Read with the Help of Cookies
The defendant provides website operators with a code that they can integrate into their own website. When the site is then accessed, cookies are set on the user’s device or already existing cookies are read. The defendant contractually obligates website operators to obtain the necessary consents from users. The consent must be given explicitly through a confirmatory action. Consent can usually be obtained through the well-known cookie banners.
The plaintiff argued that cookies were set on their devices without their consent and demanded that the defendant cease this practice.
The Frankfurt Regional Court had initially rejected the issuance of a preliminary injunction. However, the plaintiff succeeded in the appeal proceedings before the OLG Frankfurt. The defendant had violated legal requirements by setting cookies without the necessary authorization, according to the OLG. The law prohibits “anyone from accessing networked terminal devices without the end user’s consent,” the OLG Frankfurt emphasized.
Ban Also Applies to Technology Providers
The ban applies to anyone intending a specific storage or access action. Therefore, the ban also includes the defendant, who provides the relevant technology. They store information through cookies on users’ devices and access the stored information by having it provided by the website operators. Thus, they have adequately caused the storage of cookies without consent, according to the OLG Frankfurt.
The defendant also cannot rely on the website operators to obtain the consent. They remain responsible for proving that the user has consented to the setting of cookies. They must ensure that this consent is present, the OLG Frankfurt further explained.
With this decision, the OLG Frankfurt has clarified that users can not only take action against website operators for data protection violations due to unauthorized use of cookies but also against the providers of the technology.
MTR Legal Rechtsanwälte advises on IT law.
Feel free to contact us!
