Are cookies personal data?

If cookies are personal data, it is relevant for several reasons. The GDPR regulates (only) the scope with personal or personally identifiable data, not specifically with cookies. Both are also relevant for supervisory authorities and possibly their fine privilege.

Introduction

The article was written before the TTDSG became known and came into force. I have adapted it. Its original form is in itself transferable to the current status. Only the references to TTDSG instead of ePrivacy or TMG are to be evaluated differently.

We've also taken up this topic in our Datenschutz Deluxe-Podcast (Episode 18):

Notably, the GDPR initially does not apply specifically to cookies, but rather to personal data. The TTDSG, on the other hand, states that cookies may only be stored or accessed in a user's device if consent from the affected person is present (technically necessary cookies are exempt). This article was created before the TTDSG came into effect and refers to parts of the TMG. The TTDSG is a special law for the GDPR, also referred to as lex specialis.

The BGH decided in mid-2020 in the Planet49 ruling that § 15 Abs. 3 TMG is to be interpreted in conformity with Art. 5 Abs. 3 ePrivacy Directive. The German legislator was once again very slow and had not implemented the ePrivacy Directive into national law against the European prescription. Only on December 1, 2021, the TTDSG came into force as a data protection law for Germany, which implements the European requirement. In May 2024, the TTDSG will be merged into the TDDDG and the TMG into the DDG. The new laws are identical to the old ones and have only a new designation (since now "services" instead of "media" are taken into account).

Until before December 1, 2021, Section 15 Paragraph 1 of the TMG was also exciting. There it initially says:

This passage is particularly relevant when it comes to the question of whether German data protection supervisory authorities can impose fines for illegally used cookies. It ultimately comes down to the questionof whether cookies are personal data or not. I am not considering the country-specific laws of the German data protection authorities here, although these might possibly make the question of the personal reference of cookies obsolete in individual cases.

What are cookies?

Cookies are data storage units. A cookie is managed on the user's device. A user is an owner of a device. When a user calls up a website via their browser, the browser manages the cookies of the visited website for the user. The cookies are stored by the browser in a random format.

A cookie consists of a pair of data consisting of a name and a value. This data pair is sent to the website when a website is accessed. If a website integrates plugins and these plugins use cookies, the plugins receive these data pairs. No cookies are sent from the user's end device to the telemedia accessed, but the name and value of each cookie.

Cookies are "only" one type of end device access. Such access can also take place with JavaScript. The TTDSG even addresses end devices such as screenless sensors that send their measured values via a network. Updates can be installed for such end devices. Such updates are also accesses analogous to cookies.

What is personal data?

The TMG did not provide sufficient information on this. There is also little in the TTDSG. Instead, you can refer to the BDSG and the GDPR, both of which (I am not a lawyer) could be relevant to the TTDSG. At least the GDPR is relevant for data protection authorities. And at least BDSG or GDPR are relevant for the TTDSG, is my naive opinion. Please correct me if I am wrong.

Section 46 No. 1 BDSG states: Personal data are

Art. 4 No. 1 GDPR contains almost identical wording: Personal data are

The definitions in the BDSG and GDPR state that the fact that a data item can be linked to a person means that this data is to be regarded as personal data. Only natural persons are meant here.

The question of whether cookies constitute personal data can therefore be reduced to the question of whether cookies constitute personal data. In any case, data is more likely to be personal than personal data. That much is clear from the definition.

What are cookies?

Cookies are data sets. Cookies have been proven not to be text files, as many claim. Cookies are also not text files, just because a better term doesn't come to mind that should be easily understandable according to the GDPR. There are better terms than text file that are still understandable. For example, information morsels instead of data set, although I believe that data set is easy to understand. It's even better when it's described what cookies are used for, namely storing information on the user's computer (or on a terminal device, such as a smart home device).

A cookie consists of a tuple, that is, a value pair. The pair is formed from a name and a value. That a tuple exists does not matter. A one-dimensional value is equivalent. This can be achieved by concatenating name and value, which are kept apart by a defined separator.

A Cookie is created, when a Service generates it. A service can either be a website that can generate its own cookies if needed. Often this happens for cookie generation for session management. This way, it can be tracked whether a user is logged in or not. WordPress uses cookies to enable user login. Hereby only so-called First-Party Cookies can arise, which are both technically and professionally attributable to the first party. The first party is the operator of the website or responsible for the website.

In addition, a cookie can be generated by JavaScript logic. In this case, technical First-Party Cookies are also created. However, in the case of Google Analytics, there is actually a Third-Party Cookie, because it is managed by Google.

Lastly, cookies can be created when files are retrieved from one (another) server. For example, cookies are created when Google reCAPTCHA retrieves files from a website. These cookies are technically and professionally third-party cookies.

Cookies are managed separately by each browser user. Each user therefore has potentially different cookies on their device than other users. Cookies are currently the only (common) information according to § 25 TTDSG, which is stored in the user's device when it comes to websites. On smartphones, for example, Apple and Google's advertising ID is added. With Google FloC, a previously failed approach by Google to be more data protection-friendly, cohort IDs are stored on the user's device. Also Google Topics accesses the user's device.

The cookies stored on a device depend on which websites a user has visited beforehand. Alone this already shows that so-called Cookie Scanners can never function reliably.

What data do cookies store?

There is no general answer to this question. Potentially all kinds of data can be stored in one or more cookies. Here are a few examples of cookie values. Only the values are given because the names determine the interpretation of the values and the meaning of the values is given in the overview.

The bold printed values are directly person-related. If therefore a value stored in a cookie is person-related, then it logically follows that the cookie as a data container is also person-related. After all, the value expression of the cookie is transmitted with each data retrieval to the corresponding domain and can be read out.

Whether cookies are actually read out is relatively insignificant in itself for two of the three types mentioned above Cookie Types when clarifying whether data processing takes place. Data collection already occurs at (objective) knowledge of the data if this collection took place due to an offer. An offer always exists on a website. At least one implicit data processing always occurs with Third Party Cookies. The same applies to First Party Cookies from the visited website itself, which are transmitted when file calls are made. The personal reference already exists solely due to the communication channel, in addition to other reasons.

It is quite clear with cookies like those from Google Analytics. The values of these are explicitly read out by a JavaScript logic, in order to then be sent to a Google server which, incidentally always stands in the USA.

Now to the question of what happens with cookies that do not have personal characteristics. Are therefore cookies as data containers stored on a device of a person, personally related?

Initially it has been technically proven that cookies show a personnel reference. After all they are managed in the end device of a user, thus a person.

Since specific cookies are always assigned to a person through their end device, I consider them to be personal data as well. In my opinion, this spirit is also taken up by the ePrivacy Directive, which was finally implemented in Germany explicitly since December 2021 under § 25 TTDSG. This applies in my opinion even if the ePrivacy Directive puts the protection of end devices at the forefront.

Analog it behaves with "Traffic data" (metadata), which can be traced back to a person with over 90% probability. See references at the end of this contribution.

Traffic data is understood here in the technical sense. There is probably also a legal meaning of the term, which I am not taking up here!

With traffic data, I mean here the digital fingerprint of a user, who uses a browser. This includes screen resolution, operating system version, time zone and other data, even IP address. With IP address, the probability is much higher to infer back to an individual. Even without this network address, the assignment of any traffic data to a person succeeds with a probability of over 90%.

It was not for nothing that the ECJ had ruled in its judgment on IP addresses that even dynamic IP addresses are considered personal data. Dynamic addresses can change daily or even more frequently (as a keyword, the Reconnect, i.e., the reconnection is called).

When cookies are read, there is inevitably always the user's IP address present when reading them. Thus, cookies, even if they were not personally identifiable on their own (which they are in my descriptions and opinion), are always connected to the personally identifiable date of the network address. Even if the network address has been anonymized, it was necessarily collected beforehand as a processing operation. This is also the reason why, according to Art. 12 GDPR , every website must contain data protection notices (if the website is not empty, i.e., presents an offer). Anonymization as a processing operation should be possible, but it is not so easy to justify as one might spontaneously assume.

Conclusion

After all this, I come to the following conclusion: Cookies are in themselves, in their function as data storage, which are always located in a person's end device, personal and therefore personal data, because access to cookies can only take place in connection with the personal network address.

With cookies having personnel relevance through value formation, I consider the question of personal relevance to be further not applicable.

The fact that cookies are stored on a user's device that is assigned to a person also shows the personal reference of cookies.

The fact that the potentially always personally identifiable network address is also accessible when a cookie is set or read out further shows the personal reference of cookies.

The fact that the ePrivacy Directive declares cookies, regardless of their value, as consent-obligatory (cf. also EU ruling on Planet49), could be an indicator for the personal reference of cookies. I was however pointed out that the ePrivacy Directive primarily has the protection of a user's end device in mind. A user's end device is obviously person-related because it can be assigned to a person who owns it. The ePrivacy Directive protects privacy in particular. Privacy is directly related to person-relatability, I think. This is also clearly stated in Rn. 24 of the directive. In Rn. 25, however, reference is also made to the use of an end device by several users.

Even knowledge about a user's traffic data without knowledge of their IP address is sufficient to pinpoint an individual with over 90% probability.

Similarly, the ECJ's ruling that even dynamic IP addresses are personal data is an indicator of the person-relatedness of cookies. Because the ruling sets the person-relatedness very early on. After all, it almost never succeeds in identifying a person based on an IP address. However, this plays no role according to the ECJ. The BGH has also recently clarified (judgment of 15.06.2021, Az. VI ZR 576/19), that the term personal or person-related data is "broadly understood". The BGH writes, the term personal data "… includes all types of information, both objective and subjective in nature, in the form of statements or assessments, provided that it concerns the person in question. The latter condition is met if the information is linked to a specific person due to its content, purpose, or impact …".

I therefore conclude that cookies are always to be regarded as personal data. Of course, I am open to counter-arguments and willing to revise my opinion or correct parts of it if there are objective reasons for doing so.

Following was in effect prior to the entry into force of the TTDSG: Alone already according to what has been said, German supervisory authorities could also impose fines under § 15 Abs. 1 TMG for unauthorized use of cookies, and this in the worst case legally clarify.

Unfortunately, German authorities are apparently not prepared to do this on a broad basis. Why do you think that is? It can no longer be due to the complexity of the issue. Much should now finally be known and clarified or, if necessary, be clarified by a court.

Fingerprinting references

Fingerprinting is a way to deduce from traffic data of a system of a user back to the user, thus being able to distinguish this user quite clearly from other users. With Fingerprinting, no actual personal data even needs to be present. Rather, the sum of the known features of a user-system provides a very good conclusion about an individual. Thus, the (digital) fingerprint of a user is a personally identifiable, i.e., personal data.

Compare the following sources:

• Spanish Data Protection Agency: Survey on Device Fingerprinting (no date, at least year 2018): https://www.aepd.es/sites/default/files/2019-09/estudio-fingerprinting-huella-digital-EN.pdf
• Henning Tillmann: Diploma thesis: Browser Fingerprinting: Tracking without leaving a trace (20.10.2013): ; see also online Demo:
• Electronic Frontier Foundation, Peter Eckersley: How Unique Is Your Web Browser: https://panopticlick.eff.org/static/browser-uniqueness.pdf . Online Test: https://panopticlick.eff.org/
• Google patent for device fingerprinting
• Another Google patent for device fingerprinting