Cookie Consent

… Benchmarks and everything you need to know about legally compliant consent.

Cookie consent has kept companies, courts and data protection experts busy for years. It constantly raises questions, especially in online marketing: How to obtain cookie consent? When can I do without content banners? What is allowed despite rejection? What is the average content rate? Are there specific cookie-consent benchmarks that I can use as a guide? Here you will find answers to these and other questions as well as reliable results from etracker’s cookie consent study.

Cookie consent is the agreement or consent to store and/or retrieve information on the user’s device when visiting websites. For the sake of simplicity, various technologies that enable access to the end device are listed under “cookies”, such as session or local storage. The subsequent processing and in particular the disclosure of personal data may also require prior consent. Website operators usually obtain consent for non-essential cookies and certain data uses via a so-called cookie consent banner that appears on the screen when the user visits a new website. The purpose of cookie consent is to legitimize access to the devices and the processing of data.

Good to know

Where is the issue of cookie consent enshrined in law?

In addition to the EU General Data Protection Regulation (GDPR), the Telecommunications Telemedia Data Protection Act (TTDSG), which came into force on December 1, 2021, forms the basis for cookie consent. The TTDSG transposes the provisions of the EU ePrivacy Directive of 2009 (also known as the Cookie Directive) into German law. The consent requirement is regulated in § 25 TTDSG:

“The storage of information in the end-user’s terminal equipment or access to information already stored in the terminal equipment is only permitted if the end-user has consented on the basis of clear and comprehensive information.”
Only technically essential cookies and similar technologies that access the terminal equipment are exempt from the consent requirement.

According to the GDPR, the processing of personal data on websites and apps is only possible with prior consent if this is not absolutely necessary or can be justified by the overriding legitimate interest.

When dealing with the topic of cookie consent, one cannot avoid dealing with basic concepts of data protection law: When is data processing involved? What all falls under personal data? What does necessity mean? When does the legitimate interest prevail? These questions are answered in the Data protection 1×1 for marketers simple, understandable answers.

Since not all users are willing to give their consent, marketers have to deal with the consent rate on the one hand and the effects on data quality through reduction and distortion of the database (consent bias) on the other. At least that is what the latest cookie consent benchmark study by etracker shows.

The cookie consent study by etracker analyzes how cookie consent banners affect the quantity and quality of web analytics data and whether cookie consent can still be used to create a significant database for well-founded decisions. The cookie consent study is based on a representative website sample.

Good to know

Results of the cookie consent benchmark study by etracker at a glance

Only 18% of websites have a legally compliant cookie consent banner.
The average consent rate for legally compliant consent design is only 17%.
The cookieconsent rate varies greatly depending on the traffic source – on average by 28 percentage points.
Websites with more difficult rejection have an average bounce rate that is 8 percentage points higher. This costs conversions, sales and user satisfaction.

Update 2023

Updates 2023

An update of the study was carried out in June and November 2023 to show the latest changes. Accordingly, the average consent rate has fallen from 46% to 34% within around one year.

According to the Cookie Consent Benchmark Study, there are significant deviations in the banner concept for cookie consent. The design is constantly becoming more legally compliant.

On how many websites are content banners designed in compliance with the law?

Only 20 percent of the sites still make it difficult to refuse by only allowing this via a submenu. The proportion of those who use a “nudging strategy” and visually emphasize the consent option is also falling.

Example of unlawful design with more difficult rejection than consent

Example of unlawful design with unequal consent and rejection

These are the requirements of the supervisory authorities for the design of the consent dialogs with regard to the buttons:

1. is rejection possible at the top level of the banner and therefore as easy as approval?

The requirement arises from Art. 7 para. 3 sentence 4 GDPR, but does not apply if consent is not possible at the highest level or the website can also be used without interaction with the banner*.

2. are the buttons for approval and rejection equivalent and therefore not manipulative?

Although the supervisory authorities do not require the buttons to have a 100% identical design, they do require a “button that is comparable in terms of size, color, contrast and typeface” for the opt-out.* In addition, the opt-out button must not only be visible after scrolling, especially on mobile devices.

Result

Banners are becoming more and more legally compliant, but at the same time consent rates are falling. Another problem is the consent bias, i.e. the consent-related distortion of the data. This is because the consent rate for almost all websites varies greatly depending on the campaign and channel. This not only means that less data is available for campaign management. In fact, the little data available is useless if conversions are only measured from the sample of those who have consented.

As the cookie consent benchmark study shows, the consent rate or the proportion of recorded visits with cookies varies considerably depending on the source of origin or campaign. This results in systematic errors in the channel evaluation. On average, search engine advertising is overrated if data is only collected after consent has been given.

The cookie-consent deviations can be found not only at medium level, but also at campaign and keyword level: If budgets and bids are adjusted based on such distorted data, derived measures with the opposite effect are imminent. The biggest threat in online marketing is therefore not the complete blind flight or the slightly poorer view, but the systematic falsification of the database – also known as consent bias – due to the obligation to obtain consent. Against this backdrop, successful, data-driven marketing becomes a game of chance.

Consent bias

Consent bias and the consequences of the duty of consent

The obligation to consent to cookies not only reduces the database, but also leads to considerable distortions. As a result, the measured conversion KPIs lose their value, as many marketers only see the data after cookie consent and not the entire spectrum. It is therefore unclear whether a high conversion rate results from effective ads or merely a high content rate. A strong content bias impairs reliable online control and the understanding of user behavior and target groups. Such falsified data can mislead marketers. They do not provide a clear view of which regions visitors come from, which advertising campaigns effectively lead them to the website and whether they convert there. User behavior with regard to cookie consent is also unpredictable. In contrast to election polls, where preferences change only slowly, a website visitor can decide spontaneously and inconsistently whether he or she agrees with cookie consent. Data from such consent dialogs can therefore be arbitrary, the representativeness of the data samples is impaired and the resulting information becomes useless.

Conclusions from the cookie consent study

For many marketers, the topic of cookie consent seems to be a choice between plague and cholera. Highlighted accept buttons or more difficult rejections increase the cookie consent rates, but these are neither legally compliant nor evenly distributed. This consent bias ensures that all analyses are not meaningful and, in the worst case, even misleading. The solution is obvious: it would be best to be able to do without cookie consent. But is that even possible? We’ll tell you what’s important.

Even though content banners are used on almost all websites and in many apps, they are not always necessary – not even when web analytics services are used!

The good news is that some cookies are exempt from the obligation to obtain consent. For example, the storage of data on the user’s end devices or the reading of this information is permitted if it is absolutely necessary in order to provide a service requested by the user. These include security cookies, authentication cookies and temporary cookies for user input. Cookies for A/B testing, retargeting or tag management do not fall into this category. As these systems are not necessarily required for the operation of a website from the user’s perspective, cookie consent must be obtained for their use.

There are basically two cases that require a cookie consent:

If a website uses cookies that are not technically necessary or reads device data such as screen size or resolution. The technical necessity must be considered from the user’s point of view and not, for example, from the marketer’s point of view.

If personal data is not processed in the mildest necessary form or “service providers also process data of the data subjects for their own purposes (e.g. to improve their own services or to create interest profiles). “* According to the supervisory authorities, this applies to the use of Google Analytics, so that prior consent is always required.

Conversely, users’ prior consent is therefore not required if the data processing is based on the overriding legitimate interest pursuant to GDPR Art. 6 para. 1 lit. f and no data is read from or stored on users’ end devices, except for necessary purposes.

Cookie consent – yes or no?

consent-free

Cookies are consent-free because they are absolutely necessary if they serve one of the following purposes:

Authentication of the login
Recording of incorrect logins (load balancing/security cookies)
Short-term storage of user preferences (e.g. language settings)
Saving the consent setting
Temporary saving of the content of forms or shopping baskets

Mandatory consent

Cookies are subject to consent because they are not absolutely necessary if they belong to the following usage scenarios:

A/B testing
Affiliate Marketing
Map services for location recognition or geotagging
Retargeting
Social media plugins
Tag Management
Web analysis

According to the supervisory authorities, the criterion of “absolute necessity” must always be considered from the user’s perspective for the basic functions of the website or app and not from an economic perspective for the business model. Additional functions such as tag management, customer data management, affiliate marketing tracking, website personalization, A/B testing and web analytics are not part of the basic services. Cookies for website personalization may only be used without consent if the corresponding personalization functions are expressly requested or explicitly activated by visitors. The use of Enterprise Tag, Customer Experience or Customer Data Management solutions may also be associated with absolutely necessary purposes. However, all functions must be absolutely necessary in order to be able to classify a so-called multi-purpose cookie in this way according to the supervisory authorities:

“However, such a multi-purpose cookie can only be exempted from the consent requirement if the requirements of the exemption under Section 25 (2) No. 2 TTDSG are met for each individual purpose for which the cookie is used.”

(See https://www.datenschutzkonferenz-online.de/media/oh/20221130_OH_Telemedien_Version_1.1.pdf, p. 25)

An example of very questionable multi-purpose cookies classified as necessary can be found on douglas.de (as of 06.11.2023):

In particular, the comprehensive Adobe Experience Cloud, consisting of a store system, marketing automation, analytics and targeting, should be considered necessary from a marketing perspective at best. However, the user’s point of view must always be taken into account and the principle: as soon as purposes are pursued with the services that are not necessary, consent is required.

If only absolutely necessary cookies are used and no data processing requiring consent is carried out, the cookie consent dialog can and should be avoided. However, a single non-required cookie or a use of data requiring consent is sufficient to make consent management necessary. From a legal point of view, there are some clear requirements.

Cookies for reach measurement: necessary or not?

On January 11, 2024, the Spanish data protection authority aepd published guidelines on the “Use of cookies for reach measurement tools”. It describes (strict) conditions for exemption from consent. In a similar form, the French supervisory authority CNIL has defined rules for the exemption from the consent requirement for reach measurement and has even listed suitable solutions. Including etracker analytics with special settings.

In Germany, the German supervisory authorities for online offerings of broadcasters (RDSK) have confirmed that purely statistical cookies are absolutely necessary. For the non-public sector, however, this position applies in the “Guidance from the supervisory authorities for telemedia providers” on pages 24 and 25:

“From the perspective of those responsible, it would be desirable if the supervisory authorities were to make a statement on whether, for example, reach measurement pursuant to Section 25 (2) No. 2 TTDSG may in principle be used without the consent of the end users of a website. For several reasons, no such statements can be found in this guidance.” In the explanatory memorandum, the supervisory authorities point out in particular that modern web analytics offers many additional functions, such as e-commerce and campaign tracking, which go beyond the scope of mere reach measurement. In this respect, it is recommended to use analytical or statistical cookies in Germany only with consent.

In particular, the following criteria must be met if consent to the use of cookies or tracking services on the website is to be legally effective:

The design of the dialogs:

A clear confirming action such as a button click is required. Purposes or services requiring consent must not already be ticked or activated.
Rejection must not be associated with greater expense than approval. If approval is possible at the top level of the dialog, rejection must also be possible there and must not require more clicks.
The buttons must be designed equally in terms of size, position, contrast and color. In particular, text links versus buttons are not equivalent.
A granular decision must be possible for different purposes, i.e. no all or nothing. In practice, you will therefore find categories such as statistics, marketing, personalization and functional to choose from.
The consent given by the user must be documented and retained as a legally valid document.
Access to the privacy policy and detailed cookie information must also be possible without a consent decision. It is therefore best not to display the content banner there.
Users must be able to revoke their cookie consent just as easily as they have given it. Hovering icons above the web pages, which call up the consent dialog again when clicked, or a suitable link in the web page footer have proven their worth.
Consent must be given again after 12 months at the latest or if the cookies or services used change. Users must not be “penalized” in the event of rejection by the consent banner appearing again with every page view or by other disadvantages.

On the content design:

If only cookies are mentioned, no consent to processing operations in accordance with the GDPR can be assumed. This is to be feared with this button labeling.
General phrases about the purposes are not sufficient, e.g: “Cookies help in many ways to make your visit to our website easier, more enjoyable and more meaningful.” Or: “This website uses cookies to give you the best experience.”
Detailed information on the cookies and services must be provided, including purpose, provider, duration and to whom they may be passed on.
The buttons must be clearly labeled so that users can foresee the consequences. This may not be 100% clear in this example.

The requirements for cookie banners are very clearly formulated by law and by supervisory authorities. With the right consent management tools, implementation is not rocket science, as these two positive examples show:

When designing the consent dialog, it is not only about complying with legal requirements, but also about increasing the trust of visitors. By designing their consent banners in compliance with the law and providing transparent information, websites and apps can show that they take data protection seriously and protect the privacy of their users.

A consent management platform (CMP) or consent manager is software that helps companies to obtain consent from website visitors to cookies and services requiring consent, to manage cookies according to the visitor’s preferences and to document this consent. Because people often miss updating the consent settings for newly implemented services, consent managers sometimes offer scan functions and automatic blockers. However, these automatisms are not 100% reliable and can have negative effects if the desired functions are impaired.

In particular, a professional CMP does not automatically ensure legal compliance, as CMPs also allow the improper categorization of cookies, inadequate information and manipulative designs. The German supervisory authorities are therefore issuing a warning:

Note

“Note: Use of consent management platforms

Consent management platforms (CMP), which are offered by numerous companies, are increasingly being used to implement a comprehensive consent solution. They often advertise that by using their tool, legally compliant consent is obtained on the website. However, whether this is actually the case depends largely on the specific use of the CMP and the exact processes on the respective telemedia service. Website operators have numerous configuration options, so that the use of CMPs alone does not automatically result in legally compliant consent being obtained. The responsibility for the effectiveness of the consent obtained remains with the respective provider of the telemedia service.”

(Guidance from the supervisory authorities for telemedia providers from December 1, 2021, page 18)

Legally compliant cookie consents generally lead to very low consent rates. The equivalent button design alone can lead to significant losses of ten or more percentage points. This means that the marketing and analysis functions that depend on consent can no longer be maintained and reliable conclusions can no longer be drawn from the data.

A way out of the dilemma promises cookie-less and consent-free or consent-independent tracking. However, there are various pitfalls to consider in order to fulfill all legal requirements and at the same time enable modern data-driven marketing.

Cookieless tracking refers to the collection of website and campaign data without the use of cookies or fingerprinting requiring consent. With this method, all website interactions such as campaign origin, page views, click events and paths, scroll depth and form abandonment as well as technical details such as devices used, browser and language settings can be recorded and analyzed.

The federal and state data protection supervisory authorities have confirmed that the TTDSG does not apply in this case:

“Access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed, which is transmitted inevitably or due to (browser) settings of the end device when a telemedia service is called up, this is not to be regarded as ‘access to information already stored in the terminal equipment’.”

(See https://www.datenschutzkonferenz-online.de/media/oh/20221130_OH_Telemedien_Version_1.1.pdf, p. 7)

ATTENTION!

But beware!

Cookie-less tracking alone is not sufficient to be exempt from the consent requirement. For this purpose, the data processing must also be designed in such a data protection-friendly way that it can be used under the overriding legitimate interest. On July 4, 2023, the European Court of Justice (ECJ) specified the five criteria for the overriding legitimate interest in the case of Meta v. Bundeskartellamt (Case C-252/21):

The person responsible must have a genuine interest.
No milder comparable solution may exist.
Further processing beyond the intended purpose must be excluded.
The reasonable expectations of the persons concerned must not be violated.
Compliance with 1.-4. must be verifiable .

When using Google Analytics, at best the first criterion can be fulfilled. Therefore, according to the assessment of the supervisory authorities, legitimate interest is not a legal basis for the use of Google Analytics, regardless of possible configurations.

Google’s new consent mode will gradually become mandatory for the use of Google services in 2024. It comes in two variants with a significant difference:

Basic mode: Google tags are only displayed after consent has been given.
Advanced Mode: Tags are also played without consent, but do not set cookies. The data transfer is virtually unchanged – even if the term “pings” is used to play it down – and is therefore by no means consent-free. By default, even the screen size is transmitted, which is only permitted with consent in accordance with the TTDSG. Only during further processing is the data handled in a restricted manner if it is rejected and conversions are only extrapolated. Under data protection law, however, collection is also processing and not just storage!

Data protection experts are therefore particularly critical of Advanced Mode. More information on Google Consent Mode v2 can be found in Markus Baersch’s article “Consent Mode 2.0 FAQ”.

Independently confirmed without consent: etracker analytics in standard mode

etracker’s web analysis solution has been tested in an independent audit, certified and awarded the ePrivacyseal data protection seal of approval. The test result certifies the absence of consent in cookie-less mode:

“[…] Based on our detailed examination, we consider the data processing at etracker Analytics […] to be justified by the legal basis of Art. 6 para. 1 lit. f) GDPR (legitimate interest). In cookie-less mode (standard mode), the use of etracker Analytics is lawful under the GDPR and TTDSG without any requirement for consent.”

ePrivacy

Truly privacy-friendly cookie-less tracking – as with etracker analytics – frees you from the obligation to give consent and thus prevents consent-related data loss and data distortion.

This is why data protection-friendly hybrid tracking is particularly popular with marketers. This is because it combines the best of both worlds: cookie-based tracking and cookie-less tracking in parallel in a hybrid model. Compared to an exclusively cookie-based solution, this offers the advantage that if statistical cookies are rejected, tracking can be carried out without them and thus without data loss. Return rates and 30-day journeys can even be recorded for the proportion of users who accept cookies. The consent banner therefore only controls the choice of tracking mode – with or without cookies – and not whether tracking may take place at all.

Cookie consent is a critical issue for website operators and marketers. The legal requirements are now very clear and violations are risky. They can be uncovered very easily. And they also reduce the trust of website visitors. Manipulative consent nudging is still widespread, but in decline. After all, a data strategy based on “trickery” cannot be regarded as serious and sustainable. Anyone who adheres to the design guidelines must expect a high rejection rate. However, this only leads to high data loss and data distortion when using solutions that require consent, such as Google Analytics. What is sustainable, however, is the orientation of all technologies and measures towards the independence of consent. This enables 100% legal compliance with reliable data quality, ensures a reliable basis for targeted online control and at the same time protects the privacy of visitors. A win-win situation for website operators and website users!

* https://www.datenschutzkonferenz-online.de/media/oh/20221205_oh_Telemedien_2021_Version_1_1_Vorlage_104_DSK_final.pdf