The appearance of cookie banners has changed recently on many websites. In the past, a small pop-up window would simply inform you that some unspecified "cookies" were being set on the website. Meanwhile, one often gets an enumeration of the individual cookies and a selection option via checkboxes, which of them are accepted or not. Why is this so - and what is right now?
This article sheds light on the cookie banners and explains how to correctly design the cookie notice on your website. Before we get to the details, however, it is necessary to understand when and why you need a cookie banner at all.
Why do you even need a cookie banner?
Cookies are information that is stored in the website visitor's terminal device (PC, smartphone, etc.). On the one hand, they are necessary to display a website correctly at all ("technically necessary cookies"). On the other hand, they are also used for other purposes, for example to analyse the behaviour of the website visitor, for advertising purposes or for the integration of social plugins media. (Note: In the following, the term "Cookies" also refers to comparable technologies such as counting pixels, etc.)
Let us first look at the current legal situation. In this respect, since the entry into force of GDPR (Regulation (EU) 2016/679) on 25 May 2018 the following:
If the cookies are not stored on the website visitor's terminal device in order to safeguard the legitimate interests of the website operator or a third party, the website visitor's consent is required in accordance with Art. 6 para. 1 GDPR.
Since the legitimate interests of the website operator or third parties must be weighed against the interests or basic rights and freedoms of the website visitor, it is often unclear in individual cases which interests outweigh the other.
A legitimate interest in operating a website is of course always that the website is displayed correctly. Cookies necessary for this are therefore always covered by the legitimate interest of the website operator.
It becomes more difficult when cookies are set to analyse the behaviour of the website visitor or for advertising purposes. In this context, it often cannot be excluded that the interests of website visitors would be given higher priority by data protection authorities and/or courts in the event of a dispute.
Apart from the technically necessary cookies, the setting of cookies should therefore always be based on the consent of the website visitor. This consent is traditionally obtained via a checkbox.
It should not be concealed that this legal situation could change with the entry into force of thee Privacy Regulation. EPrivacy regulation However, since this is currently still under political discussion, the use of the GDPR - and thus the precautionary obtaining of consent by means of a checkbox remains in force for the time being with regard to cookies & co. You can read the details in my wp unboxed article „TheePrivacy Regulation : What's in store for you?“ .
How should you design your cookie banner?
To design a cookie banner correctly is not that difficult. The only important thing is to pay attention to a few little things, which I will introduce to you in the following.
#1 The right time
It is important that the cookie banner appears immediately when the website is called up and that no cookies are set initially and no data may be transferred to third parties (for example via a social Plugin).
#2 The right place
It is also important that further visits to the website are not made dependent on the website visitor agreeing to the setting of all cookies. Even if only consent is given to set the technically necessary cookies, it must still be possible to visit the website. Of course, it is clear that some functions of the website may not work properly if you do not give your consent.
#4 Complete listing of all cookies
The cookie banner should list the individual cookies or - if there are too many - at least the individual contexts (technically necessary cookies, analysis cookies, cookies for advertising purposes, etc.); if only contexts are mentioned, they should be explained in more detail by clicking on them in another window and the individual cookies should be specified there.
#5 Checkboxes with opt-in
Consents on websites are sensibly obtained by means of checkboxes.
This means that there is a separate checkbox in the cookie banner for each cookie - or per cookie context.
It is important that only the checkbox for the technically necessary cookies may already be ticked - for all others the checkboxes must be empty. By clicking on the remaining checkboxes, the website visitor can now decide for himself which cookies or contexts he accepts or does not accept.
The legal background is as follows:
If consent is obtained by means of a checkbox, there are basically two possibilities: Opt-in , Opt-out. The difference is that the checkbox for opt-in is initially empty and the website visitor must actively give his consent by clicking the box or ticking the checkbox. When opting out, the check mark is already set by default - i.e. consent has already been given - and the website visitor must actively remove the check mark by clicking the checkbox.
Many website operators use the opt-out by default. Probably because they know that most of their visitors want to get to the website quickly and therefore click on the OK button of the cookie banner - without reading the banner text or thinking about what they are agreeing to.
Why the opt-out is not enough
Although this procedure is widespread, it is not legally correct. A consent requires an active action of the website visitor. The only thing that is legally correct is therefore the opt-in, i.e. that the website visitor actively gives his or her consent - for example to use an analysis tool such as Google Analytics - by ticking the box.
It could be argued now that the actual consent in the case of opting out lies in clicking the OK button of the cookie banner. But that would be treading on thin ice. For according to recital 32 to the GDPR following applies to consent (Highlights through me):
"Consent should be obtained by clear affirmative act which gives a voluntary, specific, informed and unequivocal indication that the data subject consents to the processing of personal data relating to him or her, for example in the form of a written declaration, which may also be given electronically, or an oral declaration.
This could include by ticking a box when visiting a websiteThe data subject shall be deemed to have given his consent to the processing of his personal data by virtue of the choice of technical choices made in respect of information society services, or by any other explanation or practice clearly indicating, in the context of the particular case, his consent to the processing of his personal data as envisaged.
Silence, boxes already ticked or inactivity of the data subject should therefore not constitute consent. Consent should cover all processing operations carried out for the same purpose or purposes. If the processing serves several purposes, consent should be given for all these processing purposes. Where the data subject is requested to give consent by electronic means, the request must be made in a clear and concise manner and without undue interruption of the service for which consent is given.
#7 Special problem social plugins
There is a special problem with the integration of social plugins, because not only cookies are set, but also personal data of your website visitors are automatically sent to the corresponding social network etc.
After a current Judgment of the ECJ of 29 July 2019 the personal data of the website visitor may only be transmitted to the social network etc. after the corresponding consent has been given. Therefore, it is important to ensure that the social plugin only becomes active if the website visitor has given his or her prior consent by ticking the corresponding checkbox. (Although this judgment still refers to the "Data Protection Directive", i.e. the previous regulation of the GDPR; the result also applies to the GDPR.)
Designing a cookie banner correctly, i.e. in conformity with the law, is not witchcraft. And it is also no disadvantage for the website operator. Because visitors to his website should also be treated fairly. And this also includes first providing transparent information about what happens when the website is accessed. Only then are website visitors in a position to make a well-informed decision as to whether and, if so, what data they wish to disclose about themselves. Just as many website developers and operators are reluctant to be spied on by third parties, they should also give visitors to their own website the opportunity to decide for themselves what data they want to disclose or not.
Feature photo: Emily Wilson | Unsplash
More pictures: Rawpixel | pexels, RAIDBOXES