Background and purpose
Since the enactment of the GDPR, lots of different cookie banners (or consent banners) are used on websites. And there is a large variety of these banners regarding their content and usage. On the one hand, there are small sized banners, which only have to be confirmed. On the other hand, there are consent banners with a lot of information and customizing options, most people do not understand.
In May 2020, Süddeutsche Zeitung published the article “Die Sache mit dem Haken” about the judgement of the federal court. The decision of the court says, that most of the consent banners are not legal. One important reason being that the user has to give consent in a clear manner, and before any cookies will be set. Most of the cookie banners don not fulfill these requirements1.
The purpose of this article thus is to offer an overview about the requirements and the legal usage of cookie banners.
What are cookies?
A “cookie” is an information in text format, which can be saved within the browser of the user device for each website visited2.
But what is the reason for this technical application? Generally, for a user-friendly usage of some websites saving specific information to execute a process on the internet is important. For instance, when ordering goods on a retail website, you can put the desired product into your (virtual) cart. Because of a technical issue it is important to save this information in a special place (a cookie), otherwise this information will be lost, when you go ahead to look for other information or products on the website. But there are many more example for the usage of cookies, such as increasing the security for a login, saving the steps of an order or memorizing the chosen language or currency on a website3.
Furthermore, there are different types of cookies called session cookies and permanent cookies.
Session cookies will be deleted when the user closes his browser. Permanent cookies will stay on your computer for several months or years.
Additionally, cookies can be classified as first party cookies, which can be read only by the website, which set the cookies, and third party cookies, which are used for example through advertising banners of advertisement agencies. If a user visits different websites, which are using the same advertisement cookie, the advertisement agency can create a profile about the visited websites and the user behaviour. Third party cookies are classified as problematic by privacy groups4.
Cookies can collect a variety of information, for example the used hard- and software as well as data, by which a user can be identified (IP adress, e-mail-adress, name, telephone number or a “unique user ID”)5.
You can identify the cookies and their type by using Webbkoll on the website https://webbkoll.dataskydd.net/de/ of the Swedish non-profit organisation Dataskydd.net.
Legal bases and information obligations
In general, you are allowed to collect and process private data only if there is a lawfulness of processing6. Any processing is prohibited, except when you have an explicit permit. The consequence is that a cookie, which uses private data, can be used only when a lawfulness of usage exists at the time.
In article 6 “Lawfulness of processing” of the GDPR, different requirements for a legal basis are listed. One of this is the “consent”7, which is necessary for a variety of cookies (for example cookies, which are used for advertisement).
In addition, the GDPR mentions several requirements for giving consent on a legal basis8.
For example, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data Subject’s agreement (…)”. This includes also by electronic means, for example by ticking a box9.
In summary, in case of consent, the consent has to be given before any collection and processing of data occurs. The consent has to be clear and is only allowed for a specific purpose. Implied conduct and one consent for different purposes are not legal. Another important aspect is, that the Data Subject has the right to withdraw his or her consent at any time10.
In the previous chapter I mentioned the session cookies, which will be deleted after closing the browser and therefore finishing the “session”. Cookies, which are used for technical reasons are often judged as “free of consent”. In the GDPR there are no specific regulations for session cookies. However, requirement of consent may be omitted in cases where “processing is necessary for the purposes of the legitimate interest pursued by the Controller or by a third party, except where such interests are overridden by the interest of fundamental rights and freedoms of the Data Subject (...)”11. Also, the not yet enacted ePrivacy regulation, in which the usage of cookies is specified in more detail, mentions this exception by legitimate interest12.
Finally I would like to touch upon the requirement for information has to be provided where personal data is collected. Along with several other points, it is mandatory to provide “the purposes of processing for which the personal data are intended as well as the legal basis for the processing”13.
Requirements for consent banner
What is the result of the previous insights for the usage of cookie banners?
First of all, it is important to know what data will be processed and what kind of cookies should be used. Subsequently, you can decide whether a confirmation is necessary or whether you can argue for legitimate purpose. If you require consent, it is important that the cookie may be written only after the user has given consent. An opt out option is not legal. The consent has to be unambiguous and for only one purpose only.
If consent is mandatory, it is not sufficient to use a cookie banner which only provides the option to confirm (for example through an “OK” button). The user must have the option to make a choice to either confirm the processing or not. As long as the user has not made any decisions, it is not allowed to set a cookie and process any data.
The visitor of a website must confirm the processing of data for each purpose. This can be implemented through a list of options and checkboxes for each purpose. It is also important, that the default value of the checkboxes is “disabled”. This is a requirement of the GDPR in article 25 “Data protection by design and by default”14.
Finally, I would like to point out, that in some cases a contract with the processor of the cookie banner is necessary. This must be checked by the controller.
On the one hand, the GDPR offers clear rules which are often difficult to apply in practice. The main ambition of the GDPR is that the Data Subject can decide whether his or her data will be processed and in what kind of way. The Data Subject must be informed about this beforehand.
The circumstances in reality are often different from the digital world. The ePrivacy regulation will try to establish purposeful regulations for electronic communication. It is a kind of special law, which poses an addition to the GDPR. The main objective of the ePrivacy regulation will be the establishment of trustworthiness of electronic communication as well as prerequisites for saving data by suppliers of electronic communication networks. Further regulations will be aimed at the handling of non-desired communication, direct advertisement communication services and the duty to inform about security risks15.
Thus far, the ePrivacy regulation is not enacted. Initially the roll-out was planned for the same time as that of the GDPR. But until now the EU member states were not able to agree upon a common policy.
1) Hauck und Muth, „BGH“, https://www.sueddeutsche.de/digital/cookies-bgh-internet-haken-1.4921013.
3) Solmecke, DSGVO für Website-Betreiber, 144.
4) „BSI für Bürger - Cookies und Fingerprinting“, https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/GefahrenRisiken/Cookies/cookies_node.html.
6) „Das Verbot mit Erlaubnisvorbehalt – Datenschutz 2020“, https://www.datenschutz.org/verbot-mit-erlaubnisvorbehalt/.
15) „ePrivacy-Verordnung: Der aktuelle Stand zur DSGVO-Erweiterung“, https://www.e-recht24.de/artikel/datenschutz/11329-e-privacy-verordnung-die-dsgvo-war-erst-der-anfang.html.