User tracking and cookies continue to be subject to considerable dynamics with regard to legal regulation. Most recently, the ECJ and BGH rulings on “Planet49” and the ECJ ruling on “Schrems II” have created considerable legal uncertainty for the use of marketing technology. The Telecommunications Telemedia Data Protection Act (TTDSG), which will come into force in Germany on December 1, 2021, and current EU legislative projects such as the Digital Services Act are creating additional requirements. In this environment, the legally compliant use of online marketing technology requires not only a detailed legal analysis, but also technical support from specialized (compliance) tools.
Current developments in both case law and legislation not only mean a continuing tightening of legal requirements; they also bring a considerable degree of legal uncertainty to online marketing and e-commerce. This entails enormous and constant compliance costs for the underlying business models.
The end of the opt-out
In future, the storage of or access to information in the user’s terminal device via cookies or alternative technologies such as fingerprints, tags or pixels will require the user’s consent (opt-in consent). The use of such technologies without consent is then only permitted if the storage or access is absolutely necessary for the provision of the service – this is regularly not the case for advertising and marketing cookies.
Schrems II: The digital iron curtain
The ECJ’s Schrems II ruling is also a huge challenge for many adtech and martech setups: companies must ensure that data is adequately protected outside the EU – whether secured by an EU adequacy decision or corresponding bilateral agreements, or by standard contractual clauses – and in the case of the particularly important transfer to the US, it is a technical and legal challenge in typical online marketing scenarios to comply with the legal requirements.
“With the TTDSG, the German special path in matters of cookies is now finally coming to an end. For companies, implementing the data protection requirements remains a challenge, and the larger and more international the tech stack of a website, the more difficult it is to implement all the data protection requirements,” says Stephan Zimprich, partner at the international law firm Fieldfisher, summarizing the developments. “Today, legally compliant implementation requires both: specialized legal advice as well as support from compliance tech – and only if the two go hand in hand can the end result be a solution that can stand up to the critical eyes of the supervisory authorities.”
Klaus Müller, co-CEO of Vienna-based tracking technology provider JENTIS, explains, ” Data regulation is currently the strongest source of uncertainty in the digital economy, and it is not easy for companies to keep up with compliance. The good news is that technology made in Europe can once again help to adequately meet the high demands of data protection made in Europe. Tracking is more than ever a central component of digital functional logics and mechanisms and indispensable for a high-quality user experience. Companies must now take care to intelligently address the technical as well as data protection challenges associated with the new regulatory framework in order to continue to operate a globally competitive business on a privacy-compliant basis.”
Fieldfisher is a dynamically growing international business law firm with around 1000 lawyers in Belgium, China, France, Germany, Ireland, Italy, Luxembourg, Spain, UK and USA – Silicon Valley. The firm has a particular focus on Finance, Tech, Energy & Natural Resources and Life Sciences. The firm also advises companies in all sectors of the economy, from start-ups to leading global corporations, as well as the public sector.