If cookies are personal data, it is relevant for several reasons. The GDPR regulates (only) the scope with personal or personally identifiable data, not specifically with cookies. Both are also relevant for supervisory authorities and possibly their fine privilege.
Introduction
The article was written before the TTDSG became known and came into force. I have adapted it. Its original form is in itself transferable to the current status. Only the references to TTDSG instead of ePrivacy or TMG are to be evaluated differently.
We've also taken up this topic in our Datenschutz Deluxe-Podcast (Episode 18):
Notably, the GDPR initially does not apply specifically to cookies, but rather to personal data. The TTDSG, on the other hand, states that cookies may only be stored or accessed in a user's device if consent from the affected person is present (technically necessary cookies are exempt). This article was created before the TTDSG came into effect and refers to parts of the TMG. The TTDSG is a special law for the GDPR, also referred to as lex specialis.
Are cookies personal data?
The BGH decided in mid-2020 in the Planet49 ruling that § 15 Abs. 3 TMG is to be interpreted in conformity with Art. 5 Abs. 3 ePrivacy Directive. The German legislator was once again very slow and had not implemented the ePrivacy Directive into national law against the European prescription. Only on December 1, 2021, the TTDSG came into force as a data protection law for Germany, which implements the European requirement. In May 2024, the TTDSG will be merged into the TDDDG and the TMG into the DDG. The new laws are identical to the old ones and have only a new designation (since now "services" instead of "media" are taken into account).
Until before December 1, 2021, Section 15 Paragraph 1 of the TMG was also exciting. There it initially says:
The service provider may only collect and use a user's personal data insofar as this is necessary to enable and bill for the use of telemedia (usage data).
§ Section 15 (1) TMG (excerpt)
This passage is particularly relevant when it comes to the question of whether German data protection supervisory authorities can impose fines for illegally used cookies. It ultimately comes down to the questionof whether cookies are personal data or not. I am not considering the country-specific laws of the German data protection authorities here, although these might possibly make the question of the personal reference of cookies obsolete in individual cases.
What are cookies?
Cookies are data storage units. A cookie is managed on the user's device. A user is an owner of a device. When a user calls up a website via their browser, the browser manages the cookies of the visited website for the user. The cookies are stored by the browser in a random format.
A cookie consists of a pair of data consisting of a name and a value. This data pair is sent to the website when a website is accessed. If a website integrates plugins and these plugins use cookies, the plugins receive these data pairs. No cookies are sent from the user's end device to the telemedia accessed, but the name and value of each cookie.
Cookies are "only" one type of end device access. Such access can also take place with JavaScript. The TTDSG even addresses end devices such as screenless sensors that send their measured values via a network. Updates can be installed for such end devices. Such updates are also accesses analogous to cookies.
What is personal data?
The TMG did not provide sufficient information on this. There is also little in the TTDSG. Instead, you can refer to the BDSG and the GDPR, both of which (I am not a lawyer) could be relevant to the TTDSG. At least the GDPR is relevant for data protection authorities. And at least BDSG or GDPR are relevant for the TTDSG, is my naive opinion. Please correct me if I am wrong.
Section 46 No. 1 BDSG states: Personal data are
any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
§ Section 46 No. 1 BDSG (excerpt)
Art. 4 No. 1 GDPR contains almost identical wording: Personal data are
any information relating to an identified or identifiable natural person (hereinafter referred to as 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Art. 4 No. 1 GDPR (excerpt)
The definitions in the BDSG and GDPR state that the fact that a data item can be linked to a person means that this data is to be regarded as personal data. Only natural persons are meant here.
The question of whether cookies constitute personal data can therefore be reduced to the question of whether cookies constitute personal data. In any case, data is more likely to be personal than personal data. That much is clear from the definition.
Are cookies personal data?
The actually relevant (simpler) question.
What are cookies?
Cookies are data sets. Cookies have been proven not to be text files,
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
