The appearance of cookie banners has changed on many websites recently. In the past, you only got a small pop-up window with a succinct notice that some unspecified "cookies" are set on the website. Nowadays, you often get a list of the individual cookies and a choice via checkboxes which of them are accepted or not. Why is this the case - and what is correct now?
This article sheds light on cookie banners and explains how to correctly design the cookie notice on your website. Before we get to the details, however, it's important to understand when and why you even need a cookie banner in the first place.
Why do I need to have a cookie banner on my website?
Cookies are information that is stored on the website visitor's terminal device (PC, smartphone, etc.). On the one hand, some cookies may be necessary to display a website correctly ("technically necessary cookies"). On the other hand, they're also used for other purposes, e.g. to analyze the behavior of the website visitor for advertising reasons or to integrate social media plugins. (Note: in the following article, the term "cookies" also refers to comparable technologies such as counting pixels, etc.)
Let us first look at the current legal situation. In this respect, since the entry into force of GDPR (Regulation (EU) 2016/679) on 25.05.2018 the following applies:
If the cookies stored on the website visitor's terminal device aren't stored in order to safeguard the legitimate interests of the website operator or a third party, the website visitor's consent is required in accordance with Art. 6(1) of GDPR.
The legitimate interests of the website operator or third parties must be weighed against the interests or basic rights and freedoms of the website visitor. In individual cases, this makes it unclear which interests outweigh the other.
One legitimate interest in operating a website is, of course, that the website is always displayed correctly. The cookies required to display the website correctly therefore always fall under the legitimate interest of the website operator.
The situation becomes more complex when cookies are set to analyze the behavior of the website visitor or for advertising purposes. In this context, it often cannot be excluded that the interests of website visitors would be given higher priority by data protection authorities and/or courts in the event of a dispute.
Apart from the technically necessary cookies, the setting of cookies should therefore always be based on the consent of the website visitor. This consent is classically obtained via a checkbox.
It should not be concealed that this legal situation could change with the entry into force of ePrivacy Regulation . However, as the ePrivacy Regulation is currently still under political discussion, the application of the GDPR - and thus the precautionary obtaining of consent by means of a checkbox - will remain in place for the time being with regard to cookies & co. You can read the details about this in my article „The ePrivacy Regulation : What's in store for you?"article.
What should my cookie banner look like?
Designing an appropriate cookie banner isn't very difficult. You simply need to pay attention to the points I've listed below for you.
#1 The right time
The cookie banner needs to appear immediately when the website is called up. In the meantime, no cookies should be set and no data may be transferred to third parties (e.g. via a social plugin).
#2 The right place
Further visits to the website should not made dependent on the website visitor agreeing to the setting of all cookies. Even if the visitor only consents to technically necessary cookies, they must still be able to visit the website. Of course, certain functions of the website may not work properly if visitors do not provide consent.
#4 Complete enumeration of all cookies
The cookie banner should list the individual cookies or, if there are too many, at least the individual contexts (technically necessary cookies, analysis cookies, cookies for advertising purposes, etc.). If only the contexts are mentioned, these should be explained in more detail, e.g. via clicking and opening another window where the individual cookies are specified.
#5 Checkboxes with opt-in
Consent on websites can reasonably be obtained by checkboxes.
This means there's a separate checkbox in the cookie banner for each cookie - or cookie context.
Only the checkbox for the technically necessary cookies may already be ticked - all other checkboxes must be empty. By clicking on the remaining checkboxes, website visitors can decide which cookies and which contexts they want to accept or not.
The legal background to this is as follows:
If consent is obtained by means of a checkbox, there are basically two possibilities: Opt-in or Opt-out. The difference is that with opt-in, the checkbox is initially empty and the website visitor must actively give their consent by clicking on the box or setting the checkmark. With opt-out, the checkbox is already set by default - the consent is therefore already given - and the website visitor must actively remove the checkmark by clicking on the checkbox.
Many website operators use the opt-out by default. Probably because they know that most of their visitors want to get to the website quickly and therefore click on the OK button of the cookie banner - without reading the banner text or considering what they're agreeing to.
Why isn't opt-out consent enough?
Although this approach is common, it's not legally correct. Consent requires affirmative action from the website visitor. The only thing that's legally correct is therefore an opt-in, i.e. the website visitor actively gives their consent. This could be, for example, giving consent via the checkbox to an analysis tool such as Google Analytics.
It could be argued that with the opt-out, the actual consent lies in clicking the OK button of the cookie banner. But this is treading on thin ice. According to recital 32 of GDPR , the following applies with regard to consent (emphasis by me):
"Consent should be given by an unambiguous affirmative act freely given, on a case-by-case basis, in an informed and unambiguous manner, that the data subject consents to the processing of personal data relating to him or her, such as a written statement, which may also be given electronically, or an oral statement.
This could be done by ticking a box when visiting an Internet pageby selecting technical settings for information society services or by any other statement or conduct by which the data subject unambiguously indicates his or her consent to the intended processing of his or her personal data in the relevant context.
Silence, boxes already checked or inactivity on the part of the data subject should therefore not constitute consent. Consent should cover all processing operations carried out for the same purpose or purposes. Where the processing serves several purposes, consent should be given for all those processing purposes. Where consent is requested from the data subject by electronic means, the request should be made in a clear and concise manner and without unnecessary interruption of the service for which consent is given."
#7 Special Problem Social Plugins
There is a particular issue with the integration of social plugins. Here, in addition to the setting of cookies, the personal data of your website visitors is automatically sent to the corresponding social network.
According to a recent ruling of the ECJ of 29 July 2019 the personal data of the website visitor may only be transmitted to the social network etc. after the corresponding consent has been granted. Therefore, it must be ensured that the social Plugin only becomes active if the website visitor has previously given his consent by ticking the corresponding checkbox. (This ruling still refers to the "Data Protection Directive", i.e. the predecessor regulation of GDPR ; however, the result also applies to GDPR ).
Designing a cookie banner correctly, i.e. in compliance with the law, is not witchcraft. And it is also not a disadvantage for the website operator. Because visitors to his website should also be treated fairly. And this also includes providing transparent information about what happens when the website is accessed. Only then are website visitors in a position to make a well-informed decision as to whether and, if so, what data they wish to disclose. Just as many website developers and operators are reluctant to be spied on by third parties, they should also give visitors to their own websites the opportunity to decide for themselves what data they do or do not want to disclose.
Contributed image: Emily Wilson | Unsplash
Additional images: Rawpixel | pexels, RAIDBOXES