OLG Frankfurt am Main - 6 U 192/23

From GDPRhub
Revision as of 15:33, 8 August 2024 by Wp (talk | contribs) (fixed category)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
OLG Frankfurt am Main - 6 U 192/23
Courts logo1.png
Court: OLG Frankfurt (Germany)
Jurisdiction: Germany
Relevant Law:
§2 TTDSG
§25 TTDSG
Decided: 27.06.2024
Published: 05.08.2024
Parties: Microsoft Corporation
National Case Number/Name: 6 U 192/23
European Case Law Identifier:
Appeal from: LG Frankfurt (Germany)
2-02 O 217/22
Appeal to:
Original Language(s): German
Original Source: Bürgerservice Hessenrecht (in German)
Initial Contributor: ec

A court ordered Microsoft to refrain from placing and storing cookies on the data subject's devices without consent, even if this requires Microsoft to stop placing tracking cookies at all.

English Summary

Facts

The controller, Microsoft Corporation, provides the service “Microsoft advertising” which enables website operations to place adverts in the search results of the "Microsoft Search Network". It can also collect information about the visitors to a website and to place targeted adverts for these visitors via cookies.

The data subject visited third-party websites. She claims that the controller’s cookies were placed on her device without her consent. A forensic analysis of the recorded network traffic revealed that cookies from the controller had been placed on the data subject’s device without their consent.

The data subjected sought injunctive relief at the Regional Court of Frankfurt am Main (“Landgericht Frankfurt am Main”) and requested the court to order the controller to refrain from using cookies on her end devices without her consent.

The court refused to issue an interim injunction and dismissed the case. The court stated that grounds for an injunction were lacking and that the data subject did not demonstrate that they would otherwise suffer considerable disadvantages and that they cannot reasonably be expected to wait for the main proceedings. The court held that the data subject had the option to block the storage or reading of cookies via the internet browser settings, while the controller would have to change its complete processing, costing enormous effort in terms of time and money. Thus, the balance of interests is therefore in favour of the controller.

The data subject appealed this decision at the higher regional court of Frankfurt (“Oberlandesgericht Frankfurt am Main”), arguing that the balance of interests is in their favour as there can be no right to exercise an unlawful business model. Moreover, the data subject had to live with the uncertainty of the whereabouts of its data, the associated loss of control and the fear of disclosure to unauthorised third parties. The data subject requested the court to amend the first judgement, to grant the injunctive relief and to refrain the controller from using cooking and similar technologies on the data subject’s devices without their consent.

Holding

Claim for injunctive relief

The court held that the German national implementation of the e-Privacy Directive (“Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TTDSG” does not exclude a claim for injunctive relief under civil law.

Obtaining consent

The court held that under §25 TTDSG, the controller must ensure that the consent of the end user is transmitted to it by the website operator before it stores its cookies on the end user’s device. By failing to obtain consent, the controller violated §25 TTDSG.

The court dismissed the controller’s argument that the data subject could possibly have given her consent during an earlier visit. The court held that the controller had the burden of proof to provide evidence of prior consent. The fact that the controller could not provide this evidence, as it outsourced the obtaining of consent to third parties (the website operators) could not change its burden of proof.

The court found it irrelevant whether ensuring that consent is obtained is possible for the controller through appropriate technical precautions. The court held that it could not understand why it should not be possible for the controller to store its cookies on the end devices of users only after it has received their consent. The court further held that even if such technical precautions do not exist, this does not affect the requirements of §25 TTDSG.

Liability

The court further dismissed the controller’s argument that it is not liable under §25 TTDSG for placing cookies without the consent of the end user, but the website operators. The court held that the fact that the website operators are responsible for obtaining consent according to their general terms and conditions does not exonerate the controller form liability. Liability is not limited to only the website operators, but also those who stores or accesses the cookies, such as the controller. The court held that the controller was also a provider under the meaning of §2 TTDSG, as it contributes to the provision of the website operator's telemedia by setting the cookies. According to this provision, a "provider of telemedia" is any natural or legal person who provides their own or third-party telemedia, contributes to the provision of telemedia or provides access to the use of their own or third-party telemedia.

Balancing of interests

The court did not agree with the first instance court that the injunction would lead to an unduly heavy burden for the controller. The court did take into account that the data subject cannot be recognised on the Internet when visiting pages, and therefore, the injunction cannot only be limited to the data subject, but rather has an overarching effect and requires a universal solution. However, the court held that the fact that the effect of the injunction extends beyond the devices of the data subject does not call into question the grounds for an injunction, but is the consequence of how the controller organised its business model.

As the data subject had also argued, the court held that there are technically easy-to-implement solutions that enable consent to be transmitted to the website setting the cookie. If the controller cannot convince its customers of implementing these solutions, and thus being legally compliant, this should not negatively impact the data subject. Furthermore, the violations of the data subject’s rights were also intensifying daily, as the storage period of the cookie was 13 months and the storage of further user behaviour on other visited websites was possible.

Conclusion

Thus, the court ordered the controller to refrain from placing and storing cookies on the data subject's end devices without consent. If the controller violates the injunctive order, the controller could be fined up to €250,000 for each violation.

Comment

The decision of the Higher Regional Court of Frankfurt seems to be in line with a recent Dutch court decision that prohibited Microsoft, LinkedIn and Xandr from placing tracking cookies without user consent and imposed a penalty of €1,000 per company for every day of non compliance with the decision (see Rb. Amsterdam - C/13/747731).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Provider of business software is liable for cookie storage without consent on third-party websites

Guideline

If end users do not consent to the storage of cookies on their devices by the website operators who use cookies, the provider is liable for the violation of law committed with its business software. It does not relieve the provider of liability that, according to its general terms and conditions, the website operators are responsible for obtaining consent.

Note

The decision is not contestable.

There is a press release on this decision on the OLG website (www.olg-frankfurt.justiz.hessen.de).

Hide course of proceedings
previous LG Frankfurt am Main, November 3, 2023, 2-02 O 217/22, judgment
Tenor

1. On appeal by the plaintiff, the judgment of the Frankfurt am Main Regional Court (2-02 O 217/22) announced on November 3, 2023 is amended to the effect that the interim injunction of the Regional Court of September 16, 2022 is confirmed in the sense of a new order with the following tenor:

The defendant is sentenced, amending the contested judgment of the Frankfurt am Main Regional Court of November 3, 2023, file number 2-02 O 217/22, to avoid a fine of up to EUR 250,000.00 to be set by the court for each case of infringement and, in the event that this cannot be collected, can, a term of imprisonment or a term of imprisonment of up to six months, to be carried out on their legal representatives, to refrain from

using cookies and similar technologies on their end devices, such as PCs, tablets, laptops or telephones, without the informed consent of the plaintiff, in particular storing identifiers on their end devices or reading them from these end devices in order to track the plaintiff's behavior on the Internet for advertising purposes or to have them tracked,

if this happens as stated in Appendix ASt 2 on pages 28 to 38.

2. The costs of the injunction proceedings shall be borne by the respondent.

Reasons

I.

The parties are arguing within the framework of interim legal protection about the admissibility of the defendant storing and reading cookies for advertising purposes on or from the plaintiff's end devices without their consent.

The defendant is based in Land1 and is a subsidiary of A Corporation (hereinafter "A"). It provides enterprise software and related services to enterprise customers in the EU, including advertising and analytics services, including "A Advertising", which was sold as "Search Engine1 Ads" until 2019.

A Advertising enables website operators to place ads in the search results of the "A Search Network" (including Search Engine1, Search Engine2 and Search Engine3) and to measure the success of their advertising campaigns. For example, if a website operator offers products for sale on its own website, it can use A Advertising to collect information about visitors to its website, create interest groups consisting of several visitors who have exhibited similar behavior on its website, and to show visitors from these interest groups ads for their products on Search Engine1 or on other partner websites. Website operators can also display targeted ads to visitors who have visited a specific product page.

According to its privacy policy (Appendix Ast 1), the defendant uses cookies and similar technologies to store and maintain customer preferences and settings. Cookies are then also used to record online activity data and to identify users' interests so that advertising that is relevant to the user can be displayed. The defendant provides the third-party websites that use A Advertising with a "code" that the website operators can incorporate into their own website codes (i.e. their website programming). This code can be integrated into various applications (e.g. websites, online services and apps - hereinafter limited to websites by way of example).

When the website is accessed and the code is executed, depending on the specific implementation by the third-party provider, a cookie is set by the defendant or, if the cookie has already been set, its value is read. A web server therefore only sets or reads a cookie on a specific end device if the website that the end device is accessing is also programmed accordingly. Depending on the specific implementation of the code, the third-party website sends a signal to the defendant's web server and requests that a cookie be set or read. The cookies in question are only set if the third-party website sends a corresponding signal.

The websites cited and visited by the plaintiff, which are not operated by the defendant, use A Advertising on the basis of a contractual relationship with the defendant. The operators are independent companies not affiliated with the defendant. The defendant has no influence on the programming of these websites and also no access to their servers. The setting of cookies is initiated exclusively by the operators of the websites through the appropriate programming of the site, who should accordingly also ensure that any consent that may be required is obtained. The defendant contractually obliges the operators of the websites to ensure that the necessary consent is obtained.

The plaintiff claimed to have visited the websites www.(...).com, www.(...).com and www.(...).com on August 24, 2022. A forensic analysis of the recorded network traffic (Appendix ASt 2) revealed that cookies belonging to the defendant had been placed on the plaintiff's device without the plaintiff's consent.

The regional court initially prohibited the defendant by order of September 16, 2022 by way of an interim injunction from using cookies and similar technologies on the applicant's terminal equipment such as a PC, tablet, laptop or telephone without the applicant's informed consent, in particular from storing identifiers on their terminal equipment or reading them from these terminal equipment in order to track or have the applicant's behavior tracked on the Internet for advertising purposes, as happened when the following websites were accessed: (…).com (…).com (…).com (…).com.

By judgment of November 3, 2023 - to which reference is made in accordance with Section 540 I of the Code of Civil Procedure with regard to the factual findings - the regional court lifted the interim injunction and rejected the application for its issuance.

In its justification, the regional court stated that the grounds for issuing the requested interim injunction were missing. Since this was essentially an order for performance, strict standards had to be applied to the anticipation of the main proceedings. The necessary explanation that the plaintiff urgently needed such immediate performance and would otherwise suffer such significant disadvantages that it would be unreasonable for her to wait for the main proceedings was missing. For the defendant, performance was only possible by extensively changing its processes for setting and reading cookies on end users' devices. This was because it was not possible for the defendant to change the processes only for the plaintiff's devices, since it would no longer be able to identify the plaintiff in network traffic over the Internet without the use of cookies. This complete change of processes would only be possible for the defendant with enormous expenditure in terms of time and money. On the plaintiff's side, however, there is the possibility of blocking the storage or reading of cookies in the internet browser when using the internet. Overall, the balance of interests is therefore to the plaintiff's detriment.

The plaintiff's appeal is directed against this, with which she is pursuing her first-instance application goal. Contrary to the defendant's opinion, there is a reason for the injunction. The title sought is an injunction, which is not a case of a performance order. The fact that this can also trigger obligations to act does not contradict this. The principle of effectiveness under EU law is also missed. In any case, the balance of interests is in the plaintiff's favor, since there can be no right to exercise an illegal business model. In addition, the plaintiff must live with the uncertainty of the whereabouts of her data, the associated loss of control and the fear of it being passed on to unauthorized third parties.

It should also be added that the defendant has changed its processes so that the websites in question can no longer use the plaintiff's cookies.

The plaintiff requests:

The defendant is sentenced, amending the contested judgment of the Frankfurt am Main Regional Court of November 3, 2023, file number 2-02 O 217/22, to refrain from using cookies and similar technologies on the plaintiff's end devices, such as PCs, tablets, laptops or telephones, without the plaintiff's informed consent, in order to avoid a fine of up to EUR 250,000.00 to be set by the court for each case of infringement and, if this cannot be collected, a term of imprisonment or a term of imprisonment of up to six months, to be carried out on its legal representatives,

in particular from storing identifiers on their end devices or reading them from these end devices in order to track or have tracked the plaintiff's behavior on the Internet for advertising purposes,

if this happens, as stated in Appendix ASt 2 on pages 28 to 38.

The defendant requests that

the appeal be dismissed.

It defends the first instance judgment and also sees no claim to an injunction.

II.

The admissible appeal by the plaintiff is successful in the matter. The plaintiff has made credible both the existence of a claim to an injunction and a reason for an injunction.

1. Contrary to the defendant's opinion, the application is sufficiently specific in accordance with Section 253 of the Code of Civil Procedure.

a) According to Section 253 (2) No. 2 of the Code of Civil Procedure, an application for an injunction must not be formulated in such an unclear manner that the subject matter of the dispute and the scope of the court's authority to examine and decide (Section 308 (1) of the Code of Civil Procedure) are not clearly delimited, the opponent is therefore unable to defend himself exhaustively and the decision as to what the defendant is prohibited from doing is ultimately left to the enforcement court (BGH GRUR 2022, 1308 para. 26 - YouTube II; BGH, judgment of September 9, 2021 - I ZR 90/20 -, BGHZ 231, 38-87 and juris para. 19 with further references). Sufficient certainty is usually given if a reference is made to the specific infringement or the specific form of infringement being challenged is the subject of the application and the application for the action makes it clear, at least by using the statement of claim, which characteristics of the challenged conduct are the basis and the starting point for the infringement and thus the injunction (BGH GRUR 2022, 1308 para. 26 - YouTube II).

b) There are no concerns here with regard to certainty. Insofar as the defendant criticizes the terms "tracking on the Internet" and "similar technologies", the Senate has no concerns. "Tracking on the Internet" can be interpreted without any problems to mean (re-)identification of the user. The term "similar technologies" is mentioned in connection with the exemplary mention of cookies and therefore shows sufficient certainty.

2. The regional court rightly assumed that there was a claim for an injunction under Section 823 II, 1004 BGB in conjunction with Section 25 TTDSG/TDDDG (hereinafter referred to as TTDSG).

a) Section 25 TTDSG is a protective standard within the meaning of Section 823 II BGB.

According to Sections 823 Paragraph 2 Sentence 1, 1004 BGB, anyone who violates a law intended to protect another is obliged to refrain from doing so, whereby the risk of repetition required for the future-oriented claim for an injunction is indicated by the violation that has occurred once. Protection law within the meaning of Section 823 (2) BGB is a legal norm which, not by its effect but solely by its purpose and content, is intended to at least also serve to protect individuals or groups of people against the violation of a specific legal interest (established case law: BGH NJW 2022, 3156 Rn. 9 m.w.N.).

According to Sections 25 (1), 2 (1) TTDSG, 1 TMG, any provider of electronic information and communication services in Germany is prohibited from storing information in an end user's terminal equipment or from accessing this information unless the end user has consented on the basis of clear and comprehensive information. The provision represents the implementation of Article 2 (5) of Directive 2009/136/EC, the so-called Cookie Directive. According to Recital 66 of the Directive, the storage of information on a user's terminal equipment can range from legitimate reasons, such as some types of cookies, to unauthorised intrusion into privacy. It is therefore of the utmost importance that users are provided with clear and understandable information when they carry out any activity that could lead to such storage. The provision of Section 25 Paragraph 1 TTDSG therefore serves its purpose, according to its wording, not only "at least also", but exclusively to protect the privacy of the end user and ultimately the fundamental right to informational self-determination.

b) Contrary to the opinion of the defendant, the TTDSG does not exclude a claim for injunctive relief under civil law. The fact that Part 4 of the TTDSG only sanctions violations with criminal and fine provisions and only regulates the responsibilities and powers of the Federal Data Protection Commissioner and the Federal Network Agency does not exclude claims and legal remedies under private law. The Cookie Directive requires effective, proportionate and dissuasive sanctions, including criminal sanctions, for its implementation. It also requires that the competent national authorities and other national bodies be given sufficient powers to punish violations. However, this does not exclude other judicial remedies.

To the extent that the defendant assumes a blocking effect of Art. 79 GDPR, it is irrelevant whether this even exists. In any case, the majority opinion allows a claim for injunctive relief under Section 1004 of the German Civil Code (BGB) in this respect (cf. the evidence in Kühling/Buchner/Bergt, 4th edition 2024, GDPR Art. 79, marginal no. 1). A comprehensive blocking effect for all data protection issues cannot be deduced from this. Art. 95 GDPR ensures a strict separation between the ePrivacy Directive and the GDPR, since in principle no additional data protection obligations spill over into the TTDSG. And in the opposite direction, Section 25 Paragraph 1 Sentence 2 TTDSG refers exclusively to the consent regime under data protection law, without, for example, adopting role models under data protection law (Gierschmann/Baumgartner/Hanloser, 1st ed. 2023, TTDSG Section 25 Rn. 37)

c) The plaintiff has made it credible through her affidavit that she made the page views from within the scope of the TTDSG.

In Section 1 III, the TTDSG alternatively refers to the existence of a branch, the provision or participation in the provision of services or the provision of goods on the market within the scope of the TTDSG. At the same time, the provision of paragraph 3 sentence 2, according to which Section 3 of the Telemedia Act remains unaffected, expresses the priority of the country of origin principle sought by the legislator (cf. BT-Drs. 19/27441, 34). The significance of the provisions of paragraph 3 sentence 1 must be viewed in this light.

According to the explanatory memorandum to the law, the second and third alternatives of the provision are intended to ensure the application of the market place principle based on the GDPR (BT-Drs. 19/27441, 34). This applies - as the legislator rightly points out - to the processing of personal data anyway; however, since the TTDSG does not exclusively contain regulations on the processing of personal data, the market place principle should also apply in other respects. It is undisputed that the defendant offers services on the German market.

However, the validity of the TTDSG is limited by the territoriality principle.

It is irrelevant what effect this would have had if the defendant had not been able to determine whether the page was being accessed from Germany when the plaintiff accessed the page, for example due to the use of a VPN application with a foreign IP address.

The defendant was unable to make this credible. While the plaintiff is generally required to provide evidence and substantiate the factual requirements of Section 25 TTDSG, the defendant is to be regarded as having the burden of providing evidence and substantiating the exception that - despite the choice of German language - it was not possible for it to recognize that the user was from Germany due to a foreign IP address. To the extent that the plaintiff had a secondary burden of proof in this regard, it has complied with this. It has expressly stated that it did not use an IP address. Her attorney also stated that he was present at the plaintiff's apartment when the query was made and that he did not notice that the plaintiff was using VPN software. The plaintiff has thus met her secondary burden of proof, so that it is now up to the defendant to prove access via VPN software with a foreign IP address, which she has not succeeded in doing. Just to complete the picture, it should be mentioned that the expert commissioned by the plaintiff also observed a cookie being placed on the relevant pages without consent as part of his report. It is not apparent that he - too - used VPN software.

d) The defendant has violated Section 25 II TTDSG by placing cookies on the pages in question.

(1) The fact that the defendant's cookies were stored on the plaintiff's device when she visited several websites without her consent has been substantiated by the plaintiff, has not been effectively disputed by the defendant and therefore does not require any credible evidence.

The plaintiff has presented her private expert report detailing which websites she visited and that the defendant's cookies were subsequently stored on her computer without her having given her consent. In addition, she has used the private expert report to show how this can be determined and, in particular, how the process can be verified, what the private expert did and what the defendant can easily verify herself. The plaintiff's statement therefore concerns facts that can be the subject of the defendant's perception, so that the defendant would have to explain the applicant's statement completely and truthfully if it wanted to dispute the opposing statement (Section 138 of the Code of Civil Procedure), without needing the defendant's HAR file for this purpose.

To the extent that the defendant speculates that the plaintiff may have given consent during a previous visit, this argument is unsubstantiated. The defendant also has the burden of proof and credibility for prior consent. The fact that it is actually unable to do this because it has outsourced the obtaining of consent to third parties - the website operators - cannot change the duty of proof and credibility to the detriment of the plaintiff.

(2) Contrary to the defendant's opinion, it is also subject to Section 25 TTDSG. Liability is not limited to "providers", like other obligations of the TTDSG (e.g. Section 19); Section 25 TTDSG prohibits anyone from accessing networked end devices without the consent of the end user. The facts of the case are formulated purely behavior-related through the terms "storage" and "access". The addressee of the prohibition under Section 25 and at the same time the addressee of the consent in the cases of paragraph 1 or the person legally authorized to access in the cases of paragraph 2 is the actor who intends to carry out the specific storage or access action. This can be the provider of a telemedia service, but also other parties interested in access, regardless of their motives. The ban also and in particular addresses dangers such as smuggled-in spyware or viruses (Recital 66, sentence 1 of Directive (EC) 2009/136 (Cookie Directive)), which do not usually arise from telemedia offerings (Gierschmann/Baumgartner/Hanloser, 1st ed. 2023, TTDSG § 25 marginal no. 42; HK-TTDSG/Schneider, 1st ed. 2022, TTDSG § 25 marginal no. 17)

Furthermore, the defendant would also be regarded as a “provider” within the meaning of Section 2 No. 1 of the TTDSG. According to this, a "provider of telemedia" is any natural or legal person who provides their own or third-party telemedia, participates in the provision - whereby the term "contributor" is intended to cover all types of assistance (HK-TTDSG/Assion, 1st ed. 2022, TTDSG § 2 marginal no. 16-18) - or provides access to the use of their own or third-party telemedia. Paragraph 2 No. 1 is based on a functional understanding, which in practice leads to a very broad scope of application of the TTDSG (Gierschmann/Baumgartner/Baumgartner, 1st ed. 2023, TTDSG § 2 marginal no. 13), including, for example, the hosting provider. The defendant is therefore also to be regarded as a provider, since it participates in the provision of the site operators' telemedia by setting the cookies.

e) The defendant is also liable for this infringement as the perpetrator. The criteria for responsibility for the conduct of third parties are not important.

The question of whether someone has participated in a tortious act of a third party as a perpetrator, accomplice, instigator or accessory in a manner that gives rise to civil liability is assessed according to the legal principles developed in criminal law (cf. BGH GRUR 2011, 152, para. 30 - Kinderhochstühle im Internet I; GRUR 2011, 1018, para. 24 - Automobil-Onlinebörse; judgment of 18.06.2014, I ZR 242/12, para. 13 - Managing Director Liability). The perpetrator is the person who commits the infringement himself (§§ 25 I StGB, 830 I 1 BGB; BGH GRUR 2004, 860 - Internet auction I, with further references; GRUR 2007, 708 - Internet auction II; GRUR 2009, 597, Rn. 14 - Halzband; GRUR 2011, 152, 154, Rn. 30 - Children's high chairs on the Internet; judgment of 18.06.2014, I ZR 242/12, Rn.13 - Managing Director Liability), by realizing the objective elements of an infringement himself, adequately causally (BGH, judgment of 03.03.2016, I ZR 110/15, Rn. 32 - Manufacturer's recommended price on Amazon According to the plaintiff's statement, which was already undisputed in the first instance, it is the defendant who stores the information in the form of cookies on the users' end devices even without their consent, as soon as the corresponding request is triggered by the program code provided by it on the website visited by the user. In addition - which was also undisputed in the first instance - it accesses the stored information by having it made available by the operators of the websites after they have read the information about the user's further website visits on the end devices. The defendant cannot be heard to say that it cannot be causally attributed to the fact that website operators have arranged for cookies to be placed without the end user's consent, contrary to the defendant's general terms and conditions. The defendant has adequately and causally implemented the storage of cookies without the end user's consent.

There is also no lack of adequacy. The criterion of adequacy serves the purpose of excluding those causal processes that can no longer be reasonably attributed to the infringer in the context of determining the attributional connection. In tort law, there is an adequate connection between the contribution to the crime and the result of the crime if a fact is generally capable of bringing about a result and not only under particularly unusual, highly improbable circumstances that can be disregarded in the normal course of events. This may not be the case if the injured party or a third party intervenes in the course of events that caused the damage in a completely unusual and improper manner and creates a further cause that ultimately causes the damage. In determining adequacy, a subsequent prognosis must be used, which takes into account not only the circumstances known to the infringer but also all the circumstances that an optimal observer could recognize at the time the damaging event occurred (BGH, GRUR 2016, 961, para. 34 - manufacturer's recommended price on Amazon with further references). The fact that the setting of cookies without the consent of the end user on third-party websites is by no means a particularly strange, highly improbable circumstance that can be disregarded in the normal course of events is already evident from the fact that the defendant deals with this explicitly and in detail in its general terms and conditions.

However, the lack of consent of the end user, which is the basis for the violation of Section 25 Paragraph 1 TTDSG, is a negative element of the offense that is not realized through a positive action by the defendant, but solely through the fact that it itself fails to obtain consent and relies on the fact that the respective website operators have properly obtained this consent. If the conduct of which the infringer is accused consists in such an omission, the question to be asked within the framework of normative-causal attribution is whether a dutiful act would have prevented the infringement of the legal interest from occurring (cf. BGH, GRUR 2021, 1303, para. 27 - Die Filsbacher). This is the case here. This is because, according to the distribution of the burden of presentation and proof, which can be derived from the wording of Section 25 (1) TTDSG and is expressly regulated in Art. 7 (1) GDPR, the defendant must prove that the end user consented before the cookies were stored on his or her device. How the defendant wishes to provide this proof is initially its own business. In any case, however, the regulation on the distribution of the burden of presentation and proof means that it must ensure that the end user's consent is communicated to it by the website operator before it stores its cookies on the end user's device. By failing to act in accordance with its duty, it is adequately and causally committing a violation of Section 25 Paragraph 1 TTDSG.

Whether the defendant is able to act in accordance with its duty by taking appropriate technical precautions is irrelevant for the legal assessment of the present case. The defendant itself recognizes that the question of what is technically possible can only play a role in the context of liability for interference, which is not relevant here. Moreover, it is not clear why the defendant should not be able to save its cookies on users' devices until their consent has been sent to it. In addition, in Section 26 TTDSG the legislator assumes that consent management services are technically and legally possible. Even if such services do not yet exist, this does not affect the requirements of Section 25 Paragraph 1 TTDSG.

3. There is also no lack of a reason for the injunction. In particular, it is not contradicted by the fact that the implementation of the obligation to refrain from doing something involves considerable effort for the defendant.

a) The defendant rightly points out that, according to the consistent case law of the Federal Court of Justice, the obligation to refrain from an act which, as in the case in dispute, has created a continuing state of disruption is not limited to mere inaction. Rather, it also includes the taking of possible and reasonable actions to eliminate the source of the disturbance if this alone is sufficient to comply with the injunction (BGH, judgment of 14.03.2017 - VI ZR 721/15 - Verdeckte Generaleinwilligung, marginal no. 35 et seq., BGH judgment of 11 November 2014 - VI ZR 18/14, AfP 2015, 33 marginal no. 16 on the titled injunction; BGH, judgments of 22 October 1992 - IX ZR 36/92, BGHZ 120, 73, 76 et seq.; of 18 September 2014 - I ZR 76/13, GRUR 2015, 258 marginal no. 64; decision of 25 January 2007 - I ZB 58/06, NJW-RR 2007, 863, para. 17, each with further references). However, in expedited proceedings - due to the prohibition of anticipating the main proceedings - mitigated obligations apply (BGH GRUR 2020, 548, para. 19 - Dietary tinnitus treatment).

b) However, this does not make the interim injunction a performance order in the classic style.

The performance order does not secure the claim or regulate a situation, but rather leads to final satisfaction. Since it therefore leads to a comprehensive anticipation of the main issue, the performance order is only permissible under strict conditions.

The injunction differs from the classic performance order in two respects. It does not lead to a final anticipation of the main issue, but only for the period in which the order is effective, since the injunction claim arises "anew" every day. In contrast, the classic performance order leads to final and complete fulfillment (e.g. payment, delivery, eviction).

On the other hand, the injunction creditor is threatened with a final and irrecoverable loss of rights for every day in which he cannot enforce his injunction claim. The injunction is therefore fundamentally not to be measured against the strict criteria of the performance order (not only in the area of industrial property rights, but also in the area of personal rights - which are similar to data protection (cf. Götting/Schertz/Seitz, Handbook of Personal Rights, 2nd edition 2019, § 50, marginal no. 3).

c) Furthermore, the Senate cannot see that an excessive burden would be imposed on the defendant.

The Senate does not fail to recognize that the plaintiff cannot be recognized on the Internet when visiting the pages and that, as a result, the injunction cannot only be implemented in a limited manner to the plaintiff, but also extends beyond it and requires a universal solution. The fact that the factual effect (universal) extends beyond the legal effect (legal relationship between the parties) does not, however, call into question the grounds for an injunction, but is the consequence of the danger that the defendant has caused by the design of its business model.

The plaintiff has undisputedly stated that there are technically easy-to-implement solutions that enable the consent to be transmitted to the cookie setter (TCF standard). If the defendant cannot, according to its own statements, convince its customers of the implementation of the TCF standard, i.e. of acting in accordance with the law, this cannot be taken into account to the detriment of the plaintiff.

The plaintiff's violation of the law is also becoming more intense every day, as the cookie is stored for 13 months and allows the storage of additional user behavior on other websites visited that have implemented the defendant's JavaScript in their source code.

4. The defendant was also not granted the right to submit written statements on the discussions in the oral hearing. Section 283 of the Code of Civil Procedure is not applicable in interim legal protection proceedings (Higher Regional Court of Munich WRP 71, 533; 79, 166; Higher Regional Court of Koblenz WRP 81, 115, 116; Zöller-Greger Rn 2).

Even if the opposite view were taken (see Musielak/Voit/Foerste, 21st edition 2024, Code of Civil Procedure Section 283 Rn. 1, 2; MüKoZPO/Prütting, 6th edition 2020, Code of Civil Procedure Section 283 Rn. 5-8), the requirements of Section 283 of the Code of Civil Procedure would not be met here. According to the wording, the first requirement for a court to set a deadline under Section 283 of the Code of Civil Procedure is that the "surprised" party was not informed of the opponent's submission in good time by means of a preparatory written submission before the hearing. There is agreement that "submissions" include new applications, new counter-statements to factual allegations and new factual allegations (MüKoZPO/Prütting, 6th edition 2020, Code of Civil Procedure Section 283, marginal no. 9). Whether legal arguments are also to be subsumed under this is disputed (cf. the evidence in MüKoZPO/Prütting, 6th edition 2020, Code of Civil Procedure Section 283, marginal no. 9).

In any case, in both cases the prerequisite is that the party cannot respond to a submission by the opponent or to a legal notice from the court under Section 139 of the Code of Civil Procedure. However, these requirements are not met here. The subject of the oral hearing was factual and legal aspects, all of which were part of the file and had been discussed in detail by the parties since the legal dispute was filed.

The only new thing for the defendant in the oral hearing was the court's preliminary legal opinion. However, this cannot be the subject of a written submission extension under Section 283 of the Code of Civil Procedure. It is not the purpose of the regulation to give a party a further opportunity to discuss the court's preliminary legal opinion - especially not in expedited proceedings.

The Senate discussed the matter extensively with the parties at the hearing and also gave them the opportunity to consult with their clients by interrupting the proceedings. The right to be heard is therefore guaranteed even according to the strict criteria of the Federal Constitutional Court for expedited proceedings.

5. The decision on costs follows from Section 97 of the Code of Civil Procedure.

A decision on provisional enforceability was not necessary, as interim injunctions are always provisionally enforceable without a separate declaration.