Despite clearly formulated requirements by the supervisory authorities, many cookie banners are not designed in compliance with the law. This means that website operators run the risk of being admonished.
The fact that data protection authorities and consumer advices centres have cookie banners in their sights is shown, for example, by a review by the consumer advice centre in Rhineland-Palatinate, which led to warnings in the case of chefkoch.de or the company Deichmann, among others.
In order to avoid sanctions, these three frequently encountered abuses should definitely be remedied:
1. No possibility of refusal at the first level
According to Art. 7 GDPR, the withdrawal of consent (refusal) must be as easy as the consent itself. Rejection must therefore not be made more difficult than consent by requiring more clicks.
Example of an illigal consent banner with an obstacle to refusal:
2. Highlighting the consent button
If differences in the visual design of the buttons are intended to “seduce” users to consent, this is so-called “nudging”. Data protection authorities are clearly against this:
“In connection with the content layer on websites, nudging is used to “nudge” the user into giving consent: For example, in Consent windows, the “Agree” option is often designed in a more eye-catching way compared to the “Decline” option – through colour, font style and other highlighting. The button “Agree”, for example, is designed in green or blue with white bold font and the “Reject” button in grey with standard white font.”
(Source: Handout of the Lower Saxony data protection authority; translated by the author)
Ulrich Kühn, head of the unit responsible for telemedia at the Hamburg Commissioner for Data Protection and Freedom of Information, substantiates this when asked:
“There must be a visual and conceptual equivalence of the button for consent and the waiver thereof; this concerns both the discoverability/recognisability of both variants as well as the associated effort. We derive this from the legal concept of equivalence of consent and revocation in Article 7 (3) sentence 4 of the GDPR. The evaluation criteria are, for example, colouring, font (bold), font size, recognisability as a button or arrangement.”
(Source: Excerpt from an email from Ulrich Kühn dated 19 March 2021, translated by the author)
Example of an unlawful Consent Banner with illegal nudging:
3. Inadequate and misleading information
Ulrich Kühn, head of the unit responsible for telemedia at the Hamburg Commissioner for Data Protection and Freedom of Information, demands the following minimum information at the first level:
- specific purposes of the processing as well as a link to detailed information
- individual profiling and enrichment with data from other websites to form comprehensive usage profiles
- processing of data also outside the EEA
- how many controllers will the data be disclosed to
- identity of the controller (ECJ on planet49, para.75)
Moreover, with regard to the transfer of personal data to the USA, for example, a simple notice is not sufficient; rather, according to Art. 49 GDPR, users must be informed “of the potential risks to them of such data transfers” prior to giving their consent. This can be done with a warning of this kind if Google Analytics is used:
“I am aware that in the case of data processing in the USA, rights guaranteed under European Union law may only be guaranteed to a limited extent. In particular, I am aware that US authorities may access data stored about me by Google without notifying me of this access. This access may result in me being denied entry to the US or facing other sanctions or more extensive monitoring by US authorities.” Example of an illegal Consent Banner with inadequate information and illegal nudging:
It took some time for website operators to say goodbye to implicit cookie banners that assumed consent by using the website. Marketers will also have to say goodbye to nudging practices if they do not want to face sanctions. However, this inevitably means that consent rates will drop significantly in the course of the legally compliant transition. A sustainable data strategy therefore necessarily includes consent-independent tracking in compliance with the requirements for consent-free web analysis oset by the supervisory authorities. This article explains how etracker Analytics meets these requirements.