Popular mistakes in the cookie banner - and how to avoid them

Since the decision of the Federal Supreme Court of 28 May 2020 (Case No. I ZR 7/16 - Cookie Consent II), the topics of cookies and consent are once again high on the agenda for website and web shop operators. The BGH has reaffirmed that cookies may only be used for purposes of advertising or market research after the user's express consent. This decision did not come as a surprise.

What is more interesting for the website operators concerned is how they can implement the obligation established by the BGH.

For this purpose, many website operators use so-called cookie banners. In this article, we present the most common mistakes or errors in connection with the cookie banner:

What must a cookie banner look like? What information must be provided?

For some time now, website operators have been using so-called cookie notices. These cookie notices merely inform you that cookies are (already) being used. These cookie notices often contain buttons such as "OK", "Agree" or simply "Close". The user cannot control the use of cookies by the website operator via these cookie notices, let alone consent to the use of cookies.

For this reason, such cookie notices do not meet the requirements of the BGH.

Does consent have to be given for each cookie?

The answer is clearly: NO!

You do not need the user's consent for the use of technically necessary cookies. You may use these cookies without further ado. Unfortunately, there is no clear specification of what falls under the term "technically necessary". Technically necessary cookies are probably those that are required for the operation of the website and its essential functions. Shopping basket cookies, cookies to control the language selection or login cookies are conceivable technically necessary cookies.

But be careful: website operators should not get the idea of simply declaring advertising cookies as technically necessary cookies and therefore not obtaining consent for the cookies. This approach is illegal and, moreover, easy to detect. It is therefore better to leave it alone!

Are only advertising cookies affected?

Even if the decision of the BGH suggests it, the user's consent is not only to be obtained for the use of advertising cookies.

Ultimately, the user should (have to) consent to the use of any cookies or tools that either process the user's personal data or allow conclusions to be drawn about the user.

As the safest way, you should therefore obtain the user's consent for all cookies or tools that are not necessary for the operation of your website, e.g. for the use such as Google maps, YouTube plugins, internet fonts, geolocation services, tracking tools.

When are advertising cookies allowed to start working?

A cookie banner is of no use to you at all if advertising cookies are already set before users have given their consent. You must therefore technically ensure that data processing through technically unnecessary cookies or similar tools only begins after the user has consented to their use.

Don't try to trick either. With freely available browser extensions such as Ghostery, uBlock, Adblock Plus, it is quick and easy to determine which cookies or tools are being used (even before consent).

What do you need to know about the visual appearance of the cookie banner?

The cookie banners present themselves to the user in a variety of visual appearances and positions on the screen.

However, you must ensure that the cookie banner does not obscure access to either your "imprint" or your privacy policy. Otherwise, you would not be able to fulfil your obligation under Section 5 (1) of the German Telemedia Act (TMG) to provide the aforementioned information in an easily accessible manner.

It is therefore advisable to include links to your imprint and to your privacy policy in the cookie banner.

Do you have to offer the user a revocation option?

The answer is: YES!

According to Article 7 (3) sentence 1 of the GDPR, the user can revoke his or her consent at any time. According to Art. 7 (3) p. 4 DSGVO, the revocation must be as simple as the granting of consent. In other words: If the user can give consent with one click, he or she must also be able to revoke it with one click.

The cookie banners technically provide for this revocation option. However, they must technically ensure that the user can reach the cookie settings of the cookie banner at any time and exercise his or her right of revocation. Many website operators insert a corresponding link in the footer of their website for this purpose. We recommend this to all website operators.

Finally, you must also ensure that after a revocation, the relevant cookies or tools no longer process data.

Special topic: Ineffectiveness of the EU-US Privacy Shield

The aforementioned information on the use of the cookie banner only concerns the necessary consent according to Art. 6 para. 1 lit. a), 7 DSGVO.

They must additionally take into account whether and, if so, to which country outside the EU or the European Economic Area the user's personal data will be transferred.

According to the ECJ decision of 16 July 2020 (Case C-311/18), which is probably known to almost all website operators, the EU-US Privacy Shield is ineffective. This instrument can no longer be used for data transfers to the USA. At best, this is still possible through the use of so-called standard contractual clauses. However, the German supervisory authorities also take a critical view of this practice for a transfer to the USA (see the statement of the Conference of the Independent Data Protection Supervisory Authorities of the Federation and the Länder of 28.07.2020).

Due to the high level of legal uncertainty regarding the transfer of personal data to the USA, it is advisable for website operators to avoid software from US providers if possible and to switch to service providers from Europe and, in particular, to data processing in Europe.

As is so often the case, the devil is in the detail when it comes to data protection issues. We are happy to advise you in the entire area of IT/IP and data protection law so that your website becomes or remains data protection compliant.

GoldbergUllrich Lawyers 2020

Julius Oberste-Dommes LL.M. (Information Law)

Lawyer and

Specialist lawyer for information technology law