In this article, we inform you why many cookie banners are insufficient and why you should adapt your cookie banners to the current legal situation. Many website operators and visitors are likely familiar with the more or less annoying prompts that appear when entering websites, requesting consent to the use of cookies.
Do I need a cookie banner?
According to the decisions of the ECJ of October 1, 2019 (Case No. C-673/17) and the BGH of May 28, 2020 (Case No. I ZR 7/16), users must actively consent to the use of technically non-essential cookies or tools. This consent must be obtained in a technically and legally reliable and verifiable manner. For this purpose, cookie banners from various providers have become established. Contrary to their clear designation, cookie banners can control not only the deployment of cookies but also the use of various other tools (e.g., Google Maps, YouTube).
Why is the topic of cookie banners currently so critical?
Currently, resistance is emerging from the private sector. The Austrian association NOYB – European Centre for Digital Rights – has, according to its own statements, developed software that detects various types of unlawful cookie banners and automatically generates complaints. Before formal complaints are filed, companies have one month to adapt their cookie banners to legal requirements. With this system, NOYB aims to review the most visited websites in Europe and, if necessary, file up to 10,000 complaints (cf. https://noyb.eu/de/noyb-setzt-dem-cookie-banner-wahnsinn-ein-ende; https://www.heise.de/news/Noyb-Datenschutzaktivisten-greifen-Cookie-Banner-an-6057733.html).
Should NOYB's approach become established, this could lead to numerous private and/or commercial imitators.
What do I need to consider regarding cookie banners?
Below, we provide you with an audit guide. If your cookie banner fails to meet the requirements on even a single point, you should review and adapt (or have adapted) your cookie banner:
1. Does the user have a genuine individual choice?
Many cookie banners only allow the functions '(Accept All)' and 'Settings or similar'. According to the decisions of the Regional Court of Rostock (Case No. 3 O 762/19) and the Federal Court of Justice (Case No. I ZR 7/16), this design does not meet legal requirements. The voluntariness of consent is thereby impermissibly restricted, rendering any given consent declaration invalid.
2. Do all buttons have the same color and size?
It is frequently observed that the various buttons in cookie banners are designed with different colors. Buttons for consenting to the setting of (mostly all) cookies are often green/blue/red, while the remaining buttons are gray or white. In some cases, these buttons even appear unclickable.
According to the Regional Court of Rostock, this divergent color scheme for buttons, known as a 'dark pattern,' is prohibited. It is designed to intentionally mislead users and pressure them into giving consent, rendering any such consent declaration invalid.
Furthermore, the buttons should also be of the same size.
3. Have you assigned all cookies and tools to the correct category?
Most cookie banners offer the option to assign cookies and/or tools to categories such as technically essential or technically non-essential (e.g., for statistical or marketing purposes). While consent is not required for technically essential cookies and/or tools, it is mandatory for technically non-essential ones.
If you declare technically non-essential cookies and/or tools as technically essential, effective consent will not be obtained. This error is quickly and easily detectable and documentable for authorities and competitors.
4. Are the cookies and tools sufficiently explained?
According to Art. 7 GDPR, consent is only effective, among other things, if the user has been informed about the essential elements of data processing.
In many cookie banners, cookies and/or tools are either not described at all or only very superficially. In such cases, the consent is invalid.
5. Does your cookie banner contain sufficient information?
Many cookie banners contain either no introduction at all or only a very brief one. The introductory text should explain to the user which types of processing they are consenting to, that they can object at any time, and where they can obtain further information. Only with a sufficient introduction can you comply with the transparency requirement stipulated in Art. 5 para. 1 lit. a) GDPR.
Do not hesitate to contact us. We will draft a legally compliant introduction for you.
6. Can users subsequently change the settings in the cookie banner?
On many websites, users can consent to the use of technically non-essential cookies. However, once the cookie banner has closed, it is often no longer possible to return to it to change settings. This, however, frustrates the right of withdrawal under Art. 7 para. 3 p. 1, 4 GDPR. Consequently, you risk a fine under Art. 83 para. 5 lit. a) GDPR.
We will explain how you can implement a legally effective option for modification.
7. Have you linked your privacy policy in an easily accessible manner?
The privacy policy must be clearly linked within the cookie banner window. Otherwise, the user lacks essential information regarding the individual cookies and/or tools. In such a case, consent would not be informed and would therefore be invalid.
Your privacy policy itself must, of course, be complete and accurate. We will draft a legally compliant privacy policy for you.
8. Do you use cookies and/or tools from US providers?
Do you use Google products (e.g., Analytics, Maps) or products from other US providers? In this case, you must thoroughly examine (or have examined) whether you can effectively use these products at all, even if the user has consented (Incidentally, consent is likely to have been ineffective until now). Until recently, transfers to the USA were only permissible in narrow and few exceptional cases. This has now presumably changed. On June 4, 2021, the EU Commission adopted new standard contractual clauses for data transfers, including to the USA (cf. https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=uriserv%3AOJ.L_.2021.199.01.0031.01.DEU&toc=OJ%3AL%3A2021%3A199%3ATOC). However, this topic is still very new. In any case, seek advice on this matter. For your 'adversaries,' nothing is easier than identifying and pursuing or issuing warnings for a potentially illegal data transfer to the USA.
Conclusion:
There are many providers offering cookie banners that can be designed to be legally compliant. You can implement these cookie banners as legally compliant solutions with minor content adjustments. The implementation and costs for legal consultation are manageable. This allows you to potentially avoid fines and warnings (cf. Incorrect Cookie Banner = Competition Law Violation).
Seek our advice.
We are pleased to offer our advisory services across the entire spectrum of IT law, particularly in the field of data protection law. We would be glad to review your cookie banner for you.
GoldbergUllrich Attorneys at Law 2021
Julius Oberste-Dommes LL.M. (Information Law)
Attorney-at-Law and
Specialist Attorney for Information Technology Law
