Unfortunately in Germany that’s not true. Putting anything in someone’s computer without their approval is now considered illegal. Therefore even if you’re just using Matomo stats or anything that isn’t tracking and just functional you need to ask for permission.
That is idiotic and doesn’t solve the issue at hand at all
That is a common misconception in the industry here in Germany but that doesn't make it true. I was often told to add a Cookie Consent banner even for sites that don't use any Cookies at all. Fact is, you don't need a Cookie Consent banner for functional cookies.
The issue with Matomo is that even though nicer than Google Analytics it is optional for the working of the website, so it should only activate if the user consents.
There is some serious cargo culting regarding these kind of laws going on. I remember back in the day that you would add "I don't take responsibility for the external links" kind of disclaimers on every website. Or everyone thinking they need a Impressum (legal info/contact info) page on their website because it is required by law. (No only for commercial sites, which is reasonable.)
I largely agree. An Impressum/Imprint is however not only needed for explicitly commercial sites, but also for sites that are not purely personal. E.g. just earning some cents with an ad banner on your personal site means you need an imprint. There have been lots of lawsuits, it's really ugly, and I totally can understand that people want to be on the safe side.
Yeah it still good style to always provide Imprint.
I just listed it as an example where people don't understand the nuance around an issue. "You better provide some Imprint if you are in doubt" becomes "You are required by law to always have an Imprint"
This shall not prevent any technical storage or access for the sole purpose
of carrying out the transmission of a communication over an electronic
communications network, or as strictly necessary in order for the provider
of an information society service explicitly requested by the subscriber or
user to provide the service.
English version of the response from the EU court:
TTDSG is finally a correct implementation of the 2005 ePrivacy directive. § 25 TTDSG literally just rephrases the exact ePrivacy requirements. The pendant to the above quote is § 25 Abs 2 Nr 1:
> Die Einwilligung nach Absatz 1 ist nicht erforderlich, wenn der alleinige Zweck [der Speicherung oder des Zugriffs] die Durchführung der Übertragung einer Nachricht über ein öffentliches Telekommunikationsnetz ist oder wenn [sie] unbedingt erforderlich ist, damit der Anbieter eines Telemediendienstes einen vom Nutzer ausdrücklich gewünschten Telemediendienst zur Verfügung stellen kann.
Agreed that doesn’t make a lot of sense. You need to “put” html, css, images in the visitor’s computer just as much as you do a session cookie. How is one allowed and not the other?
"The storage of information in the end-user's terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679."
There is like 15 years of official guidance and case law on ePrivacy, with relevant guidance from the Art 29 Working Party (precursor to the current EDPB) published around 2014. But I don't think regulators are in a hurry to get into arguments about the finer points when the ePrivacy Regulation could be passed any year now, which would allow a more nuanced approach to cookies (e.g. allowing legitimate interest instead of consent).
Why do you think this would result in a different outcome in Germany?
The language of the new law in Germany is virtually identical to the language of the EU directive.
So why would it be different in Germany versus other countries in the EU that also have to implement the directive?
Following the German debate the courts and watchdogs interpretation of the law is that strictly necessary means that the functionality is not possible without cookies or other technology and the consent has to be of the same quality as per GDPR.
Privacy law in Germany is usually stricter than in other EU country's even if the text is identical.
> It’s possible to disable tracking cookies in Matomo by adding a line on the javascript code. When cookies are disabled, Matomo data will become slightly less accurate
So it seems there's no "functional cookies" in Matomo, and so all cookies from Matomo without consent popup is not in compliance. You can disable all Matomo cookies and allow for compliance:
> By disabling tracking cookies, you may also use Matomo without needing to display a cookie consent screen.
"Therefore even if you’re just using Matomo stats"
That's not functional though, is it?
I understand entirely the desire to use such a thing, to understand how your site is being used, but it's not functional in a "delivering service to the end user" way.
(Personally I like the way it sounds, analytics without signing over the world to Google, but it's still not functional)
False, since the BGH ruling in the "Planet49" case (judgment dated May 28, 2020 - I ZR 7/16), the following applies: Cookies and comparable technologies may only be used with consent in Germany as well, regardless of the processing of personal data. This is only different if the cookies are "absolutely necessary" for the technical provision of the respective service or they serve solely to transmit a message via a public telecommunications network.
So technically necessary cookies still don't need consent.
That sounds nonsensical, when people visit your website they run your code using their CPUs and electricity. You also get their attention and may even influence their heart rates and breathing patterns.
I wish it was, but no, selling a computer system with Windows installed is consensual, either by explicit customer request or by the customer agreeing to a sale offer as advertised.
No one gets tricked into approval (here: buying) because every customer is able to request a different or no OS, or to reject an immutable sale offer; except if you think that not knowing what an operating system is and what it implies constitutes a trick, but that does not meet the legal definition.
