12.08.19
updated 10.11.20
Mario Steinberg
0 comments
Cookie Banner GDPR ePrivacy

Cookie banners - but do it right! You should pay attention to these 7 things

The appearance of cookie banners has changed on many websites recently. In the past, you only got a small pop-up window with a succinct notice that some unspecified "cookies" are set on the website. Nowadays, you often get a list of the individual cookies and a choice via checkboxes which of them are accepted or not. Why is this the case - and what is correct now?

This article sheds light on cookie banners and explains how to correctly design the cookie notice on your website. Before we get to the details, however, it's important to understand when and why you even need a cookie banner in the first place.

Cookies are information that is stored on the website visitor's terminal device (PC, smartphone, etc.). On the one hand, some cookies may be necessary to display a website correctly ("technically necessary cookies"). On the other hand, they're also used for other purposes, e.g. to analyze the behavior of the website visitor for advertising reasons or to integrate social media plugins. (Note: in the following article, the term "cookies" also refers to comparable technologies such as counting pixels, etc.) 

Let us first look at the current legal situation. In this respect, since the entry into force of GDPR (Regulation (EU) 2016/679) on 25.05.2018 the following applies:

If the cookies stored on the website visitor's terminal device aren't stored in order to safeguard the legitimate interests of the website operator or a third party, the website visitor's consent is required in accordance with Art. 6(1) of GDPR.

Cookie Banner GDPR

The legitimate interests of the website operator or third parties must be weighed against the interests or basic rights and freedoms of the website visitor. In individual cases, this makes it unclear which interests outweigh the other.

One legitimate interest in operating a website is, of course, that the website is always displayed correctly. The cookies required to display the website correctly therefore always fall under the legitimate interest of the website operator. 

The situation becomes more complex when cookies are set to analyze the behavior of the website visitor or for advertising purposes. In this context, it often cannot be excluded that the interests of website visitors would be given higher priority by data protection authorities and/or courts in the event of a dispute.

Apart from the technically necessary cookies, the setting of cookies should therefore always be based on the consent of the website visitor. This consent is classically obtained via a checkbox.

It should not be concealed that this legal situation could change when the E-Privacy Regulation comes into force. However, since the E-Privacy Regulation is currently still under political discussion, the application of GDPR will remain in effect for the time being with regard to cookies & co. - and thus with the precautionary obtaining of consent by means of a checkbox. You can read the details about this in my article "The e-privacy regulation: what's in store for you?"article.

Designing an appropriate cookie banner isn't very difficult. You simply need to pay attention to the points I've listed below for you.

#1 The right time

The cookie banner needs to appear immediately when the website is called up. In the meantime, no cookies should be set and no data may be transferred to third parties (e.g. via a social plugin).

#2 The right place

Care should also be taken to ensure that no other essential content is covered up by the cookie banner. The banner is, for example, often placed in the footer area and conceals the link to the legal notice and/or privacy policy.

#3 Voluntariness 

Further visits to the website should not made dependent on the website visitor agreeing to the setting of all cookies. Even if the visitor only consents to technically necessary cookies, they must still be able to visit the website. Of course, certain functions of the website may not work properly if visitors do not provide consent.  

#4 Complete enumeration of all cookies

The cookie banner should list the individual cookies or, if there are too many, at least the individual contexts (technically necessary cookies, analysis cookies, cookies for advertising purposes, etc.). If only the contexts are mentioned, these should be explained in more detail, e.g. via clicking and opening another window where the individual cookies are specified.    

#5 Checkboxes with opt-in

Consent on websites can reasonably be obtained by checkboxes.

This means there's a separate checkbox in the cookie banner for each cookie - or cookie context. 

Only the checkbox for the technically necessary cookies may already be ticked - all other checkboxes must be empty. By clicking on the remaining checkboxes, website visitors can decide which cookies and which contexts they want to accept or not.

The legal background to this is as follows: 

If consent is obtained by means of a checkbox, there are basically two possibilities: Opt-in or Opt-out. The difference is that with opt-in, the checkbox is initially empty and the website visitor must actively give their consent by clicking on the box or setting the checkmark. With opt-out, the checkbox is already set by default - the consent is therefore already given - and the website visitor must actively remove the checkmark by clicking on the checkbox.

Many website operators use the opt-out by default. Probably because they know that most of their visitors want to get to the website quickly and therefore click on the OK button of the cookie banner - without reading the banner text or considering what they're agreeing to.

Why isn't opt-out consent enough?

Although this approach is common, it's not legally correct. Consent requires affirmative action from the website visitor. The only thing that's legally correct is therefore an opt-in, i.e. the website visitor actively gives their consent. This could be, for example, giving consent via the checkbox to an analysis tool such as Google Analytics.

It could be argued that with the opt-out, the actual consent lies in clicking the OK button of the cookie banner. But this is treading on thin ice. According to recital 32 of GDPR , the following applies with regard to consent (emphasis by me):

line infobox

"Consent should be given by an unambiguous affirmative act freely given, on a case-by-case basis, in an informed and unambiguous manner, that the data subject consents to the processing of personal data relating to him or her, such as a written statement, which may also be given electronically, or an oral statement.

This could be done by ticking a box when visiting an Internet pageby selecting technical settings for information society services or by any other statement or conduct by which the data subject unambiguously indicates his or her consent to the intended processing of his or her personal data in the relevant context.

Silence, boxes already checked or inactivity on the part of the data subject should therefore not constitute consent. Consent should cover all processing operations carried out for the same purpose or purposes. Where the processing serves several purposes, consent should be given for all those processing purposes. Where consent is requested from the data subject by electronic means, the request should be made in a clear and concise manner and without unnecessary interruption of the service for which consent is given."

line infobox

#6 Adaptation of the privacy policy

When designing your cookie banner, you should remember to update your privacy policy. Details of the individual cookies set must also be explained in the privacy policy. 

#7 Special Problem Social Plugins

There is a particular issue with the integration of social plugins. Here, in addition to the setting of cookies, the personal data of your website visitors is automatically sent to the corresponding social network.

According to a recent ruling of the ECJ of 29 July 2019 the personal data of the website visitor may only be transmitted to the social network etc. after the corresponding consent has been granted. Therefore, it must be ensured that the social Plugin only becomes active if the website visitor has previously given his consent by ticking the corresponding checkbox. (This ruling still refers to the "Data Protection Directive", i.e. the predecessor regulation of GDPR ; however, the result also applies to GDPR ).

Designing a cookie banner correctly, i.e. in compliance with the law, is not witchcraft. And it is also not a disadvantage for the website operator. After all, visitors to a website should also be treated fairly. And this also includes providing transparent information about what happens when the website is accessed. Only then are website visitors in a position to make a well-informed decision about whether and, if so, what data they want to disclose. Just as many website developers and operators are reluctant to be spied on by third parties, they should also give visitors to their own website the opportunity to decide for themselves what data they do or do not want to disclose.

Contributed image: Emily Wilson | Unsplash
More images: Rawpixel | pexels, Raidboxes

Did you like the article?

Your rating helps us improve our future content.

Mario Steinberg

Mario Steinberg is a lawyer and specialist in administrative law at the commercial law firm LIEB.Rechtsanwälte. The focus of his work includes data protection law, IT security law and IT law.

Post a comment

Your email address will not be published. Required fields are marked with *.