Back

Why legalweb.io

#news

5 minutes

Since the end of 2019, website operators have come to realize that third-party services can generally only be carried out with the prior consent of …

Back

Since the end of 2019, website operators have come to realize that third-party services can generally only be carried out with the prior consent of the website user.

The legalweb.io tools place maximum value on legally correct implementation. We do not offer features that are legally highly controversial or even illegal. But what does that mean in concrete terms?

Lawyer Peter Harlander, co-founder of legalweb.io and data protection expert, shows in this article what the courts and data protection authorities believe is important when it comes to cookie pop-ups and data protection declarations:

basics

Cookies vs. data processing

The term “cookie pop-up” is misleading. Website operators must ensure that the consent not only includes the setting of cookies that require consent, but also all processing processes that require consent, such as procedures for tracking users using web beacons or browser fingerprinting.

Applicable law

Despite the GDPR, there are legal differences between the EU countries. For example, Austria has fully implemented the E-Privacy Directive, while Germany has not. Cookie pop-up and privacy policy must take these differences into account. Which law applies depends on the seat of the website operator.

Languages

The cookie pop-up and privacy policy must be available in all website languages. This generally applies to all legal texts on a website.

Imprint Data Protection

The links to the imprint and the data protection declaration must also be retrievable before consent is given, especially in the case of a cookie banner designed as an overlay.

In addition, the website operator must ensure that these pages are not blocked by the cookie banner and that no third-party data is collected when these pages are accessed.

The website operator must ensure that when the website is called up, only the data of the website user that is essential for the operation of the website is processed.

In particular, data processing by external services (e.g. analysis tools, remarketing tools, video services, map services) may only take place with the prior, informed, clear and voluntary consent of the website user.

Likewise, local services may require consent if the level of intervention is appropriate (e.g. profiling, user-specific content, mouse tracking).

implementation

Clear, non-misleading texts

Mere expressions of respect such as “We take the protection of your personal data very seriously…” are not sufficient to comply with legal regulations. The website user must recognize that consent under data protection law is required for the processing of personal data.

At first glance

At first glance, the website user must at least be able to see who is responsible for the website, which services are integrated into the website, which companies operate these services and whether data is being transferred to third countries. This information must therefore not be hidden in detail pages.

All details

The website user must be able to recognize the scope of the data processing and their consent. The information required for this is very extensive, so it does not have to be visible at first glance, but it must not be more than a click away, e.g. on a “All details” button.

Necessary minimum information:

  • purpose of processing
  • duration of processing
  • Legal basis of processing
  • Contact details of the joint controller or processor
  • the consequences of non-consent
  • Legal basis for any transmission to third countries

Checkboxes & Buttons

The still often read phrase “By continuing to surf, you agree to the data processing” is illegal. Merely continuing to surf does not constitute a legally valid consent.

Consent must be given through proactive action by the website user (e.g. actively ticking an empty checkbox).

No preselection

The checkboxes must therefore be preset to “not activated”.

Individually selectable

Each service must be individually selectable. Similar services can be segmented into groups and selected together, as long as these services can still be selected individually.

Hiding the choice on a second level is not enough. The selection of individual services must be just as easy as consent to all services. If the user has to make one more click to get to the selection, that’s already illegal.

Exception: essential services

Services that are absolutely technically necessary for the operation of a website do not require consent and therefore do not require a separate selection option.

Thinking it through to the end, this means: a website that only has essential services does not need a cookie pop-up.

buttons

An equivalent graphic design of the “Agree button” and the “Reject button” is a prerequisite for legally compliant consent.

psycho tricks

Psychological tricks like a bright green “Agree button” with a light gray “Reject button” on a light gray background or even with a tiny, barely visible “Reject link” are illegal.

Refusing to give consent should be as easy as clicking the “Reject” button, clicking “Close (X)” and clicking the gray overlay next to the cookie banner.

revocation

possibility of revocation

Since consent can be revoked, a corresponding revocation option must be implemented. Withdrawal of consent must be possible at any time and as simple as the consent itself.

Ideally, the cookie pop-up is loaded again so that the website user can change their settings.

Consequences of revocation

After revocation of the consent, the data processing must be stopped and the services deactivated.

Ideally, a page reload occurs so that the services are no longer running and no new data is collected. If the services only process the data anonymously, then everything is done.

Data protection

consistency

The website’s privacy policy and the “Full details” texts of the cookie pop-up must be precisely aligned. Ideally, the cookie banner and the privacy policy are generated using the same tool.

The website user’s information about the data processing must not be “outsourced” by linking to the data protection declaration. Links to other data protection declarations are therefore of no use.

Conclusion

Data protection law is extremely complex – we make it easy for you

Test now for 14 days free of charge

Make your website legally secure today!

Recommended articles

The role of AI in GDPR compliance

With the rise of artificial intelligence (AI) and its increasing use in various industries, it is becoming crucial for organizations to understand the role of AI in ensuring GDPR compliance.

Browser Fingerprinting and the GDPR

Browser fingerprinting is a technique used by websites and advertisers to track and identify a user’s device and online behavior based on information collected from their web browser. This information may include technical details about the device, software, and network, as well as user-specific information such as language preferences, time zone, and browsing history.

5 common GDPR myths debunked

The General Data Protection Regulation (GDPR) is a set of regulations introduced by the European Union (EU) in 2018 to ... Weiterlesen ...

Server Side Tracking GDPR compliant

How to implement server side tracking/tagging in compliance with GDPR? What needs to be considered in relation to the GDPR? ... Weiterlesen ...
legalweb.io
Privacy
Thank you for visiting legalweb.io, the website of legal web GmbH in Austria. We use technologies from partners (2) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
asd as asd