Cookie consent banners continue to be held to increasingly strict requirements regarding their graphical and technical design. Regulatory authorities and courts have recently been demanding more detailed information texts, more neutrally designed user interfaces and an even stricter “opt-in” principle than before. This results in a need for action and possible liability risks even for those website operators who have already implemented a cookie banner and therefore consider themselves “compliant”.
The topic is also high on the agenda of the supervisory authorities. Most recently, the French regulator CNIL again imposed record fines on Google and Amazon for providing their users with false or non-transparent cookie information.
Background, Problem and Risk of Sanctions
When using most web analysis and tracking tools (such as Google Analytics) or personalised advertising, a website operator must obtain explicit consent from its users. Usually, this is done through so-called “cookie (consent) banners”. Since consent must be given before tracking commences, these more or less intrusive pop-ups are often the first thing a user sees when visiting a website. In most cases, however, the user can quickly and easily “get rid” of the banner – by clicking on the appropriately highlighted button reading “Accept All Cookies”. A short info text then simply refers the user to the privacy policy for “further information”.
Against this background, the State Commissioner for Data Protection in Lower Saxony (LfD) has published a handout on the topic of “consent on websites in conformity with data protection” [in German]. This clarifies that the practice described above is not legally compliant and, in particular, is not in line with the requirements of the GDPR. Case law has also recently
tended in this direction: for example, the Rostock Regional Court condemned the online platform “advocado” for the use of an insufficient cookie banner in a ruling of 11 August 2020 (Case No. 3 O 762/19 [in German]).
Our Recommendations for the Correct Design of Cookie Banners
We therefore recommend considering the following when designing your cookie banner:
- Consent Before Cookies Are Set: The user must consent before cookies are saved in their browser. Here, attention must be paid to a clean technical implementation of the cookie banner and the interaction with plug-ins and third-party providers.
- “Opt-in” instead of “opt-out”: The user’s consent must be unambiguous and active. Pre-ticked checkboxes or an assumption that implying “continuing to surf” means consent do not fulfil these requirements.
- Specific information: Consent must also be “informed” in order to ensure transparency. Therefore, vague formulations such as “we use cookies to improve your browsing experience” are not sufficient. Data recipients and third-party cookie providers must also be explicitly named. A transfer of data to non-EU countries and the corresponding legal basis must also be pointed out – and the user must also give their specific consent to this. A blanket reference to the privacy policy is likewise not sufficient, and may only supplement the information.
- Neutral Design of the Cookie Banner: The button “Accept All Cookies” must not be highlighted in colour or design in order to encourage the user to quickly dismiss the cookie banner by providing consent (so-called “dark pattern” or “nudging”).
- Simple Consent-Revocation Through “Consent Management”: The user must be able to revoke their consent just as easily as they gave it. Here, a link in the footer of the website is recommended, e.g. with the label “privacy settings”, via which the user can call up the cookie banner again and deselect cookies there (so-called “consent management”).
- Waive Cookie Banners Only if “Data-Saving” Web Analytics Alternatives Are Used: If a cookie banner is to be avoided entirely, without sacrificing visitor and usage statistics entirely, the web analytics tools used must neither use cookies, nor transfer data to third countries, nor use data for profiling or displaying advertising. Providers of analysis tools that advertise themselves as “data-saving” and “cookie-free”, such as Matomo, OpenWeb Analytics or Plausible, may be suitable for this purpose. Nevertheless, it must be examined in each individual case whether the goal of creating visitor and usage statistics corresponds to the legitimate interest of the website operator. This examination must also be documented
Concrete Design of the Cookie Banner
The following two examples illustrate the concrete requirements for the design of a legally compliant cookie banner presented above:
Example of an impermissible design: pre-selection of all optional cookie categories (“opt-out” instead of “opt-in”) and “nudging” by colour-coding the buttons “Allow Selected Cookies” and “Allow All Cookies”.
This is what a permissible design could look like (in excerpts): No “nudging” and no pre-selection. It is particularly important that clicking on “Show details” displays information about the optional cookie categories as well as their specific purposes and specific providers, and informs about data transfers to third countries and their legal basis. A reference to the detailed data protection statement should also not be missing.
Outlook and recommendation for action
All website operators should check whether they have to use a cookie banner and how this is to be specifically designed. In doing so, providers of “out of the box” solutions (e.g. Cookiebot) can be used or an individual solution can be programmed or commissioned.
In any case, however, it should be checked whether one’s own implementation meets the current requirements the GDPR and the supervisory authorities – only very few website operators will manage without any adjustments or changes. This is especially true when using
ready-made solutions – here, the LfD has explicitly pointed out that their default settings are often insufficient.