The 3 most common mistakes with cookie banners

by Katrin Nebermann

Despite clearly formulated requirements of the supervisory authorities, many cookie banners are not designed in compliance with the law. This means that website operators run the risk of being warned.

The fact that data protection authorities and consumer advice centers have cookie banners in their sights is shown, for example, by an investigation by the Rhineland-Palatinate consumer advice center, which led to warnings being issued to chefkoch.de and the company Deichmann, among others.

In order to avoid sanctions, these three frequently encountered shortcomings should definitely be remedied:

1. no possibility of rejection at the first level

According to Art. 7 GDPR, the withdrawal of consent (refusal) must be just as simple as the consent itself. Rejection must therefore not be made more difficult than consent by requiring more clicks.

Example of an unlawful consent banner with difficult opt-out option:

2. highlighting the consent button

If differences in the visual design of the buttons are intended to “entice” users to give their consent, this is known as “nudging”. The data protection authorities are clearly against this:

“In connection with the consent layer on websites, nudging is used to “nudge” the user to give consent: For example, in consent windows, the “Agree” option is often designed to be more noticeable compared to the “Decline” option – through color, font style and other highlighting. For example, the “Agree” button is designed in green or blue with white bold font and the “Disagree” button in gray with white standard font.”
(Source: Guidance from the Lower Saxony data protection authority)

The head of the department responsible for telemedia at the Hamburg Commissioner for Data Protection and Freedom of Information, Ulrich Kühn, clarified this on request:

“There must be a visual and conceptual equivalence of the button for consent and the waiver of consent; this concerns both the findability/recognizability of both variants and the associated effort. We derive this from the legal concept of equivalence of consent and withdrawal in Art. 7 para. 3 sentence 4 GDPR. The evaluation criteria are, for example, color scheme, font (bold), font size, recognizability as a button or arrangement.”
(Source: Excerpt from an email from Head of Unit Ulrich Kühn dated March 19, 2021)

Example of an illegal consent banner with illegal “nudging”:

3. inadequate and misleading information

The head of the department responsible for telemedia at the Hamburg Commissioner for Data Protection and Freedom of Information, Ulrich Kühn, demands the following minimum information at the first level:

• Specific purposes of processing and a link to detailed information
• Individual profiling and enrichment with data from other websites to create comprehensive user profiles
• Processing of data also outside the EEA
• How many controllers are the data disclosed to
• Identity of the controller (ECJ on planet49, para.75)

With regard to the transfer of personal data to the USA, for example, a simple notice is not enough; rather, according to Art. 49 GDPR, users must be informed “of the potential risks of such data transfers” before giving their consent. This can be done with a warning of this type if US tools, such as Google Analytics, are used:

“I am aware that when data is processed in the USA, rights guaranteed under European Union law may only be guaranteed to a limited extent. In particular, I am aware that US authorities can access data stored by Google about me without me being notified of this access. This access may mean that I may be denied entry to the USA or that I may be subject to other sanctions or further observation by US authorities.”

Example of an illegal consent banner with inadequate information and illegal nudging:

Conclusion

It took some time for website operators to move away from implicit cookie banners that assumed consent by using the website. Marketers will also have to say goodbye to nudging practices if they do not want to accept sanctions. However, this inevitably means that consent rates will drop significantly in the course of the legally compliant changeover. A sustainable data strategy therefore necessarily includes consent-independent tracking in compliance with the requirements for consent-free web analytics of the supervisory authorities. Read this article to find out how etracker analytics meets these requirements.