The appearance of cookie banners has changed on many websites in recent times. In the past, a small pop-up window would simply inform you that some unspecified "cookies" were being set on the website. Nowadays, you are often given a list of the individual cookies and a choice of checkboxes to accept or reject them. Why is this the case - and what is correct now?
This article sheds light on cookie banners and explains how to properly design the cookie notice on your website. Before we get to the details, however, it is necessary to understand when and why you need a cookie banner in the first place.
Why do you need a cookie banner at all?
Cookies are pieces of information that are stored on the website visitor's end device (PC, smartphone, etc.). On the one hand, these are necessary to display a website correctly ("technically necessary cookies"). On the other hand, they are also used for other purposes, for example to analyze the behavior of website visitors, for advertising purposes or when integrating social plugins. (Note: In the following, the term "cookies" also refers to comparable technologies such as counting pixels, etc.).
Let's first take a look at the current legal situation. In this respect, the following has applied since GDPR (Regulation (EU) 2016/679) came into force on 25.05.2018:
If the cookies are not stored on the website visitor's end device to protect the legitimate interests of the website operator or a third party, the consent of the website visitor is required for this in accordance with Art. 6 (1) GDPR .
Since the legitimate interests of the website operator or third parties must be weighed against the interests or fundamental rights and freedoms of the website visitor, it is often unclear in individual cases which interests prevail.
A legitimate interest in the operation of a website is of course always that the website is displayed correctly. Cookies required for this purpose are therefore always covered by the legitimate interest of the website operator.
It becomes more difficult when cookies are set to analyze the behavior of the website visitor or to evaluate it for advertising purposes. Here, it is often not possible to rule out the possibility that the interests of website visitors would be given greater weight by the data protection supervisory authorities and/or the courts in the event of a dispute.
Apart from the technically necessary cookies, the setting of cookies should therefore always be based on the consent of the website visitor. This consent is classically obtained via a checkbox.
It should not be concealed that this legal situation could change when the ePrivacy Regulation comes into force. However, as the ePrivacy Regulation is currently still under political discussion, the application of GDPR - and therefore the precautionary obtaining of consent by means of a checkbox - will remain in place for the time being with regard to cookies & co. You can read the details in my article "The ePrivacy Regulation: What's in store for you?".
"*" indicates required fields
How should you design your cookie banner?
Designing a cookie banner correctly is not that difficult. It's just important to keep a few little things in mind, which I'll show you below.
#1 The right time
It is important that the cookie banner appears immediately when the website is accessed and that no cookies are initially set and no data may be transmitted to third parties (e.g. via a social plugin).
#2 The right place
It is also important that further visits to the website are not made dependent on the website visitor consenting to the setting of all cookies. Even if consent is only given to the setting of technically necessary cookies, it must still be possible to visit the website. Of course, it is clear that some functions of the website may not work properly without consent.
#4 Complete enumeration of all cookies
The cookie banner should list the individual cookies or - if there are too many - at least the individual contexts (technically necessary cookies, analysis cookies, cookies for advertising purposes, etc.); if only contexts are mentioned, these should be explained in more detail by clicking on them in another window and the individual cookies should be specified there.
#5 Checkboxes with opt-in
Consent on websites is best obtained by means of checkboxes.
This means that there is a separate checkbox for each cookie - or cookie context - in the cookie banner.
It is important to note that only the checkbox for technically necessary cookies must already be ticked - all other checkboxes must be empty. By clicking on the other checkboxes, the website visitor can now decide for themselves which cookies or contexts they accept or not.
The legal background to this is as follows:
If consent is obtained by means of a checkbox, there are basically two options: Opt-in or opt-out. The difference is that with opt-in, the checkbox is initially empty and the website visitor must actively give their consent by clicking on the box or ticking the box. In the case of opt-out, the checkbox is already ticked by default - i.e. consent has already been given - and the website visitor must actively remove the tick by clicking on the checkbox.
Many website operators use the opt-out by default. Presumably because they know that most of their visitors want to access the website quickly and therefore click on the OK button of the cookie banner - without reading the banner text or thinking about what they are giving their consent for.
Why isn't opt-out consent enough?
Even if this procedure is widespread, it is not legally correct. Consent requires an active action on the part of the website visitor. Therefore, only the opt-in, i.e. the website visitor actively giving their consent - for example to the use of an analysis tool such as Google Analytics - by ticking the box, is legally flawless.
It could now be argued that the actual consent for opting out lies in clicking the OK button on the cookie banner. But this is treading on thin ice. According to recital 32 of GDPR , the following applies to consent(emphasis mine):
"Consent should be given by an unequivocal affirmative act whichindicates voluntarily, for the specific case, in an informed and unambiguous manner, that the data subject consents to the processing of personal data relating to him or her, for example in the form of a written declaration, which may also be made electronically, or an oral declaration .
This could be done, for example, by ticking a box when visiting a website, by selecting technical settings for information society services or by any other statement or behavior with which the data subject clearly indicates their consent to the intended processing of their personal data in the respective context.
Silence, already checked boxes or inactivity of the data subject should therefore not constitute consent. Consent should relate to all processing operations carried out for the same purpose or purposes. If the processing serves several purposes, consent should be given for all these processing purposes. Where the data subject is requested to give consent by electronic means, the request must be made in a clear and concise manner and without undue interruption of the service for which consent is given."
#7 Special Problem Social Plugins
There is a special problem with the integration of social plugins, as these not only set cookies, but also automatically send personal data of your website visitors to the corresponding social network, etc.
According to a recent ruling by the ECJ on July 29, 2019, the personal data of the website visitor may only be transmitted to the social network etc. after the corresponding consent has been given. It is therefore important to ensure that the social plugin only becomes active if the website visitor has previously given their consent by ticking the relevant checkbox. (This ruling still refers to the "Data Protection Directive", i.e. the predecessor regulation of GDPR; however, the result also applies to GDPR).
Designing a cookie banner correctly, i.e. in compliance with the law, is not rocket science. And it is also not a disadvantage for the website operator. After all, website visitors should also be treated fairly. And this includes providing transparent information about what happens when the website is accessed. Only then are website visitors in a position to make a well-informed decision as to whether and, if so, what data they wish to disclose. Just as many website developers and operators are reluctant to be spied on by third parties, they should also give visitors to their own website the opportunity to decide for themselves what data they want to disclose or not.
Featured image: Emily Wilson | Unsplash
Other images: Rawpixel | pexels, Raidboxes