In this article, we inform you why many cookie banners are insufficient and why your cookie banners should be adapted to the current legal situation. Many website operators and visitors are probably familiar with this: More or less annoying requests when entering websites that you agree to the use of cookies.
Do I need a Cookie Banner?
According to the decision of the ECJ of 01.10.2019 (Case C-673/17) and the BGH of 28.05.2020 (Case I ZR 7/16), the user must actively consent to the use of technically unnecessary cookies or tools. The consent must be obtained in a technically and legally reliable and verifiable manner. The cookie banners of various providers have established themselves for this purpose. Contrary to the clear designation, not only the use of cookies, but also the use of various other tools (e.g. Google Maps, YouTube) can be controlled with a cookie banner.
Why is the topic of cookie banners so explosive at the moment?
There is currently resistance from the private sector. According to the Austrian association NOYB - European Centre for Digital Rights, it has developed software that recognises different types of illegal cookie banners and automatically generates complaints. Before formal complaints are filed, companies have one month to adapt their cookie banner to the legal requirements. With this system, NOYB will be able to check the most visited websites in Europe and, if necessary, file up to 10,000 complaints (cf. https://noyb. eu/de/noyb-setzt-dem-cookie-banner-wahnsinn-ein-ende; https://www.heise.de/news/Noyb-Datenschutzaktivisten-greifen-Cookie-Banner-an-6057733.html).
Should NOYB establish itself with its approach, this could attract various private and/or commercial imitators.
What do I have to pay attention to with the Cookie Banner?
Below we provide you with an inspection guide. If your cookie banner does not meet the requirements for only one point, you should check your cookie banner and have it adjusted:
1. does the user have a real individual choice?
Many cookie banners only allow the functions "(Accept all)" and "Settings or similar". According to the decision of the Rostock Regional Court (Case No. 3 O 762/19) and the Federal Supreme Court (Case No. I ZR 7/16), this design does not meet the legal requirements. The voluntary nature is thus inadmissibly restricted. The declaration of consent would therefore be invalid.
2. do all buttons have the same colour and size?
It can often be observed that the various buttons in the cookie banner are designed in different colours. The buttons for consenting to the setting of (mostly all) cookies are green/blue/red, the other buttons are grey or white. Some of these buttons look as if they cannot be clicked at all.
According to the Rostock Regional Court, this deviating colour design of the button, known as a "dark pattern", is prohibited. The user is to be deliberately misled and pressured into giving consent. A declaration of consent would be invalid.
Furthermore, the buttons should also have the same size.
Have you assigned all cookies and tools to the correct category?
Most cookie banners offer the option of assigning cookies and/or tools to the categories technically necessary or technically unnecessary (e.g. statistical or marketing purposes). Consent is not required for technically necessary cookies and/or tools, but is required for technically unnecessary cookies and/or tools.
If you declare technically unnecessary cookies and/or tools as technically necessary, effective consent is not obtained. This error is quick and easy to document for authorities and competitors.
4. are the cookies and tools sufficiently explained?
According to Art. 7 GDPR, consent, among others, is only effective if the user has been informed about the essential elements of the data processing.
In many cookie banners, the cookies and/or tools are not described at all or much too superficially. In this case, consent is invalid.
Does your cookie banner contain sufficient information?
Many cookie banners contain either no introduction at all or only a very short one. The introductory text should explain to the user which types of processing he or she consents to, that he or she can object at any time and where he or she can obtain further information. Only with a sufficient introduction do you satisfy the transparency requirement in Art. 5 (1) a) GDPR.
Feel free to contact us. We will formulate a legally compliant introduction for you.
6. can the user change the settings in the cookie banner afterwards?
On many websites, the user can consent to the use of technically unnecessary cookies. After the cookie banner has closed, it is often no longer possible to return to the cookie banner to change the settings. However, by doing so, you thwart the possibility of revocation according to Art. 7 para. 3 p. 1, 4 DSGVO. You risk a fine according to Article 83 (5) (a) of the GDPR.
We explain how you can implement a legally effective amendment option.
7. have you linked your privacy policy in an easily accessible way?
The privacy policy must be clearly linked in the cookie banner window. Otherwise, the user is missing essential information on the individual cookies and/or tools. In this case, consent would not be informed and would therefore be invalid.
Your privacy policy itself must of course be complete and correct. We formulate a legally compliant data protection statement for you.
8. do you use cookies and/or tools from US providers?
Do you use Google products (e.g. Analytics, Maps) or products from other US providers? In this case, you must check (or have checked) exactly whether you could use these products effectively at all, even if the user has consented(consent is likely to be ineffective so far, by the way). Until recently, transfers to the USA were only permitted in narrow and few exceptional cases. This has now presumably changed. On 4 June 2021, the EU Commission adopted new standard contractual clauses for data transfers to the USA, among other countries (cf. https://eur-lex. europa.eu/legal-content/DE/TXT/?uri=uriserv%3AOJ.L_.2021.199.01.0031.01.DEU&toc=OJ%3AL%3A2021%3A199%3ATOC). However, this topic is still very new. In any case, get advice on this topic. Nothing is easier for your "enemies" than to recognise a presumably illegal data transfer to the USA and to prosecute or issue a warning.
Conclusion:
There are many providers who offer cookie banners that can be designed in a legally compliant manner. You can use these cookie banners as legally compliant cookie banners with minor changes to the content. The use and the costs for legal advice are manageable. This may help you to avoid fines and warnings (cf. wrong cookie banner = competition infringement).
Let us advise you.
We are available as advisors in the entire area of IT law, in particular for the area of data protection law. We would be happy to check your cookie banner for you.
GoldbergUllrich Lawyers 2021
Julius Oberste-Dommes LL.M. (Information Law)
Lawyer and
Specialist lawyer for information technology law
