Since the end of 2019, website operators have come to realize that third-party services can generally only be carried out with the prior consent of the website user.
The legalweb.io tools place maximum value on legally correct implementation. We do not offer features that are legally highly controversial or even illegal. But what does that mean in concrete terms?
Lawyer Peter Harlander, co-founder of legalweb.io and data protection expert, shows in this article what the courts and data protection authorities believe is important when it comes to cookie pop-ups and data protection declarations:
basics
Cookies vs. data processing
The term “cookie pop-up” is misleading. Website operators must ensure that the consent not only includes the setting of cookies that require consent, but also all processing processes that require consent, such as procedures for tracking users using web beacons or browser fingerprinting.
Applicable law
Despite the GDPR, there are legal differences between the EU countries. For example, Austria has fully implemented the E-Privacy Directive, while Germany has not. Cookie pop-up and privacy policy must take these differences into account. Which law applies depends on the seat of the website operator.
Languages
The cookie pop-up and privacy policy must be available in all website languages. This generally applies to all legal texts on a website.
Imprint Data Protection
The links to the imprint and the data protection declaration must also be retrievable before consent is given, especially in the case of a cookie banner designed as an overlay.
In addition, the website operator must ensure that these pages are not blocked by the cookie banner and that no third-party data is collected when these pages are accessed.
No data processing before consent is given
The website operator must ensure that when the website is called up, only the data of the website user that is essential for the operation of the website is processed.
In particular, data processing by external services (e.g. analysis tools, remarketing tools, video services, map services) may only take place with the prior, informed, clear and voluntary consent of the website user.
Likewise, local services may require consent if the level of intervention is appropriate (e.g. profiling, user-specific content, mouse tracking).
implementation
Clear, non-misleading texts
Mere expressions of respect such as “We take the protection of your personal data very seriously…” are not sufficient to comply with legal regulations. The website user must recognize that consent under data protection law is required for the processing of personal data.
At first glance
At first glance, the website user must at least be able to see who is responsible for the website, which services are integrated into the website, which companies operate these services and whether data is being transferred to third countries. This information must therefore not be hidden in detail pages.
All details
The website user must be able to recognize the scope of the data processing and their consent. The information required for this is very extensive, so it does not have to be visible at first glance, but it must not be more than a click away, e.g. on a “All details” button.
Necessary minimum information:
- purpose of processing
- duration of processing
- Legal basis of processing
- Contact details of the joint controller or processor
- the consequences of non-consent
- Legal basis for any transmission to third countries
Checkboxes & Buttons
Proactive Consent
The still often read phrase “By continuing to surf, you agree to the data processing” is illegal. Merely continuing to surf does not constitute a legally valid consent.
Consent must be given through proactive action by the website user (e.g. actively ticking an empty checkbox).
No preselection
The checkboxes must therefore be preset to “not activated”.
Individually selectable
Each service must be individually selectable. Similar services can be segmented into groups and selected together, as long as these services can still be selected individually.
Hiding the choice on a second level is not enough. The selection of individual services must be just as easy as consent to all services. If the user has to make one more click to get to the selection, that’s already illegal.
Exception: essential services
Services that are absolutely technically necessary for the operation of a website do not require consent and therefore do not require a separate selection option.
Thinking it through to the end, this means: a website that only has essential services does not need a cookie pop-up.
buttons
An equivalent graphic design of the “Agree button” and the “Reject button” is a prerequisite for legally compliant consent.
psycho tricks
Psychological tricks like a bright green “Agree button” with a light gray “Reject button” on a light gray background or even with a tiny, barely visible “Reject link” are illegal.
Refusal to give consent
Refusing to give consent should be as easy as clicking the “Reject” button, clicking “Close (X)” and clicking the gray overlay next to the cookie banner.
revocation
possibility of revocation
Since consent can be revoked, a corresponding revocation option must be implemented. Withdrawal of consent must be possible at any time and as simple as the consent itself.
Ideally, the cookie pop-up is loaded again so that the website user can change their settings.
Consequences of revocation
After revocation of the consent, the data processing must be stopped and the services deactivated.
Ideally, a page reload occurs so that the services are no longer running and no new data is collected. If the services only process the data anonymously, then everything is done.
Data protection
consistency
The website’s privacy policy and the “Full details” texts of the cookie pop-up must be precisely aligned. Ideally, the cookie banner and the privacy policy are generated using the same tool.
links
The website user’s information about the data processing must not be “outsourced” by linking to the data protection declaration. Links to other data protection declarations are therefore of no use.
Conclusion
Data protection law is extremely complex – we make it easy for you