Cookie Consent

What is cookie consent?

Cookie consent means the user’s agreement or consent to the storage and/or retrieval of information on their end devices when visiting websites. For the sake of simplicity, various technologies that enable access to the user’s end device are listed under “cookies”, such as session or local storage. The subsequent processing and in particular the disclosure of personal data may also require prior consent. Website operators usually obtain consent for non-essential cookies and certain data uses via a so-called cookie consent banner that appears on the screen when the user visits a new website. The purpose of cookie consent is to legitimize access to users’ devices and the processing of data.

According to the GDPR, the processing of personal data on websites and apps is only possible with prior consent if this is not absolutely necessary or can be justified by the overriding legitimate interest.

When dealing with the topic of cookie consent, there is no way to avoid dealing with data protection principles: When is data processing involved? What all falls under personal data? What does necessity mean? When does the legitimate interest prevail? We answer these questions simply and comprehensibly in our data protection 101 for marketers.

Since not all users are willing to give their consent, marketers have to deal with the consent rate on the one hand and the effects on data quality through reduction and distortion of the database (consent bias) on the other. This is confirmed by the latest cookie consent benchmark study by etracker.

Cookie consent benchmark study: these are the facts

The cookie consent study by etracker analyzes what influences the consent rate and how cookie consent banners affect the quantity and quality of web analytics data. The cookie consent study is based on a representative website sample.

Will the trend towards legally compliant design of content banners continue?

According to the Cookie Consent Benchmark Study, there are significant deviations in the banner concept for cookie consent. The design is constantly becoming more legally compliant.

Only 13 percent of the sites still make it difficult to refuse by only allowing this via a submenu. The proportion of those who use a “nudging strategy” and visually emphasize the consent option is also falling.

Example of unlawful design with more difficult rejection than consent

Example of unlawful design with unequal consent and rejection

These are the requirements of the supervisory authorities for the design of the consent dialogs with regard to the buttons:

1. rejection at the top level of the banner and therefore as simple as approval

The requirement arises from Art. 7 para. 3 sentence 4 GDPR, but does not apply if consent is not possible at the highest level or the website can also be used without interaction with the banner*.

2. equivalent design of the buttons for approval and rejection

Although the supervisory authorities do not require the buttons to have a 100% identical design, they do require a “button that is comparable in terms of size, color, contrast and typeface” for the opt-out.* In addition, the opt-out button must not only be visible after scrolling, especially on mobile devices.

What is the typical consent rate? What is the impact of illegal nudging?

Websites with a legally compliant design record an average of 14 percentage points less consent. With a legally compliant design, cookies and data processing requiring consent are rejected in 60% of visits.

The level of consent and the effect of legally compliant design vary greatly from sector to sector.

The consent rates of real estate websites, for example, are significantly lower than in the energy sector. The effect of compliant design also varies: while consent nudging makes little difference in e-commerce and tourism, illegal nudging shows significant differences in consent rates in many other sectors. In the service sector, websites have to reckon with a loss of almost 50% with compliant design.

Banks and insurance companies are a special case: Here, websites with a compliant consent design even record higher consent rates.

Does the consent requirement lead to a systematic falsification of analysis data?

Another problem in addition to data loss is consent bias, i.e. the distortion of data due to consent. This is because the consent rate for almost all websites varies greatly depending on the campaign and channel. This not only means that less data is available for campaign management. In fact, the little data available is useless if conversions are only measured from the sample of those who have consented.

As the cookie consent benchmark study shows, the consent rate or the proportion of recorded visits with cookies varies considerably depending on the source of origin or campaign. This results in systematic errors in the channel evaluation.

The cookie-consent deviations can be found not only at referrer level, but also at medium level:

To find out how much the content rate for individual websites varies depending on the channel, the fluctuation range depending on the content level must be considered. To make a long story short: it is high. Even at a minimum of around 25% to just under 45% around the individual average of a website. In extreme cases, it even varies by +/- 44%.

To visualize the variation, we have created a graph for the consent rate levels 5%, 20%, 40%, 60%, 80% and 95% based on the average fluctuation of 36.3%.

This shows the considerable range of consent rates at medium level:

If budgets and bids are adjusted on the basis of such distorted data, derived measures may have the opposite effect. The biggest threat in online marketing is therefore not the complete blind flight or the slightly poorer view, but the systematic falsification of the database – also known as consent bias – due to the obligation to obtain consent. Against this backdrop, successful, data-driven marketing becomes a game of chance. Data-driven budget allocation and bid optimization require a consent-independent analysis.

Conclusions from the cookie consent study

For many marketers, the topic of cookie consent seems to be a choice between plague and cholera. Highlighted accept buttons or more difficult rejections increase the cookie consent rates, but these are neither legally compliant nor evenly distributed. This consent bias ensures that all analyses are not meaningful and, in the worst case, even misleading.

The solution is obvious: it would be best to meet all legal requirements for consent dialogs and at the same time avoid data loss and falsification. But is that even possible? We’ll tell you how to do both.

How do companies avoid consent-related legal risks and sanctions?

The equivalently designed reject button alone is not enough. A total of 14 points must be taken into account when designing the consent banner. If even just one legal criterion is not met, all consents obtained are invalid and the use of the corresponding services requiring consent is unlawful.

All legal requirements for the design of consent dialogs can be found in a document from the supervisory authorities: in the Guidance of the supervisory authorities for providers of digital services – in short: OH Digital Services – in version 1.2. But: The requirements for consent dialogs are spread over more than 30 pages.

We have therefore summarized the most important findings in a compact 14-point checklist. Each point can be easily verified by quoting the corresponding margin numbers from the guidance.

Legal pitfalls often arise from separate solutions for tag management and consent management. Attempts to use automated website scans to detect services and cookies that require consent and to automatically block external scripts are prone to errors – with potentially serious consequences for data protection compliance.

Companies with seamlessly integrated tag and consent management are much more efficient and legally on the safe side: consent categorization and provider assignment take place directly when a tag is added. This ensures secure blocking and correct approval according to the user’s individual consent preferences directly during tag control. New tags no longer have to be maintained in two systems. Technically unassigned or incorrectly assigned services are excluded as a matter of principle.

With etracker, the integrated solutions etracker tag manager and etracker consent manager automatically ensure that the consent category is transferred from tag management and – as required – the correct number of services requiring consent is displayed in the consent dialog:

How do marketers prevent content-related data loss and corruption?

The good news for marketers is: tracking without consent in harmony with legal requirements is possible! One way to exempt consent is to see web analysis in terms of reach measurement as essential for service provision. On January 11, 2024, the Spanish data protection authority aepd published guidelines on the “Use of cookies for reach measurement tools”. It describes (strict) conditions for exemption from consent. In a similar form, the French supervisory authority CNIL has defined rules for the exemption from the consent requirement for reach measurement and has even listed suitable solutions. Including etracker analytics with special settings.

The German supervisory authorities for online offerings of broadcasters (RDSK) have confirmed that purely statistical cookies are absolutely necessary. For the non-public sector, however, the supervisory authorities have stated that even the simple measurement of visitor numbers should not be classified per se as part of the basic service (see OH Digital Services, para. 90).

In Germany, it is advisable to refrain from using analytical or statistical cookies in order to be able to track without consent.

However, cookie-less tracking alone is not enough to be exempt from the consent requirement. For this, the data processing must also be designed in such a data protection-friendly way that it can be used under the overriding legitimate interest (Art. 6 para. 1 lit. f GDPR). On July 4, 2023, the European Court of Justice (ECJ) specified the five criteria for the overriding legitimate interest in the case of Meta v. Bundeskartellamt (Case C-252/21):

1. The person responsible must have a genuine interest.
2. No milder comparable solution may exist.
3. Further processing beyond the intended purpose must be excluded.
4. The reasonable expectations of the persons concerned must not be violated.
5. Compliance with 1.-4. must be verifiable .

The supervisory authorities expressly point out that web analysis is excluded under the legitimate interest if the data is processed in third countries without an adequacy decision. According to the supervisory authorities, processing in unsafe third countries is unlawful, even if users have given their consent:

“Personal data that is processed in connection with the regular tracking of user behavior on websites or in apps cannot be processed on the basis of consent in accordance with Art. 49 (1) GDPR. 1 lit. a) GDPR to a third country. The scope and regularity of such transfers regularly contradict the character of Art. 49 GDPR as an exceptional provision and the requirements of Art. 44 p. 2 GDPR. “

When using Google Analytics, the legitimate interest cannot be used as a legal basis, as Google reserves the right to use the data for its own purposes. Even in the so-called extended consent mode , data processing with Google Analytics is only ever possible with consent:

“Furthermore, in cases where third-party service providers are involved in tracking as processors, it must be ensured whether these service providers also process data of the data subjects for their own purposes (e.g. to improve their own services or to create interest profiles). In this case – and even if the third-party service provider only reserves the right to do so in the abstract – the scope of commissioned processing under Art. 28 GDPR is exceeded. As a rule, Art. 6 (1) (f) GDPR cannot then form an effective legal basis for the transfer of personal data – even if it is only the IP address – to these third-party service providers. “*.

Independently confirmed without consent: etracker analytics in standard mode

etracker’s web analytics solution meets the requirements for freedom of consent and has been tested, certified and awarded the ePrivacyseal data protection seal of approval in an independent audit. The test result certifies the freedom of consent:

Truly privacy-friendly cookie-less tracking – as with etracker analytics – frees you from the obligation to give consent and thus prevents consent-related data loss and data distortion.

This is why data protection-friendly hybrid tracking is particularly popular with marketers. This is because it combines the best of both worlds: cookie-based tracking and cookie-less tracking in parallel in a hybrid model. Compared to an exclusively cookie-based solution, this offers the advantage that if statistical cookies are rejected, tracking can be carried out without them and therefore without data loss. Return rates and 30-day journeys can even be recorded for the proportion of users who accept cookies. The consent banner is therefore only used to select the tracking mode – with or without

cookies – and not whether tracking may take place at all.

Conclusion: Cookie consent benchmarks for more orientation

Cookie consent is a critical issue for website operators and marketers. The legal requirements are now very clear and violations are risky. They can be uncovered very easily. And they also reduce the trust of website visitors. Manipulative consent nudging is on the decline. After all, a data strategy based on “trickery” cannot be regarded as serious and sustainable. Anyone who adheres to the design guidelines must expect a high rejection rate. However, this only leads to high data loss and data distortion when using solutions that require consent, such as Google Analytics. What is sustainable, however, is the orientation of all technologies and measures towards the independence of consent. This enables 100% legal compliance with reliable data quality, ensures a reliable basis for targeted online control and at the same time protects the privacy of visitors. A win-win situation for website operators and website users!

* https://www.datenschutzkonferenz-online.de/media/oh/OH_Digitale_Dienste.pdf

Disclaimer

These statements do not constitute legal advice and cannot replace individual legal advice. They are a professional discussion and summary of the topic. If necessary, we will be happy to put you in touch with a specialist lawyer.

What is cookie consent?

Cookie consent benchmark study: these are the facts

Will the trend towards legally compliant design of content banners continue?

What is the typical consent rate? What is the impact of illegal nudging?

Does the consent requirement lead to a systematic falsification of analysis data?

Conclusions from the cookie consent study

How do companies avoid consent-related legal risks and sanctions?

How do marketers prevent content-related data loss and corruption?

Independently confirmed without consent: etracker analytics in standard mode

Conclusion: Cookie consent benchmarks for more orientation