Since the end of 2019, website operators have come to realize that third-party services can generally only be carried out with the prior consent of the website user.
The legalweb.io tools place maximum value on legally correct implementation. We do not offer features that are legally highly controversial or even illegal. But what does that mean in concrete terms?
Lawyer Peter Harlander, co-founder of legalweb.io and data protection expert, shows in this article what the courts and data protection authorities believe is important when it comes to cookie pop-ups and data protection declarations:
The term “cookie pop-up” is misleading. Website operators must ensure that the consent not only includes the setting of cookies that require consent, but also all processing processes that require consent, such as procedures for tracking users using web beacons or browser fingerprinting.
The links to the imprint and the data protection declaration must also be retrievable before consent is given, especially in the case of a cookie banner designed as an overlay.
In addition, the website operator must ensure that these pages are not blocked by the cookie banner and that no third-party data is collected when these pages are accessed.
The website operator must ensure that when the website is called up, only the data of the website user that is essential for the operation of the website is processed.
In particular, data processing by external services (e.g. analysis tools, remarketing tools, video services, map services) may only take place with the prior, informed, clear and voluntary consent of the website user.
Likewise, local services may require consent if the level of intervention is appropriate (e.g. profiling, user-specific content, mouse tracking).
Mere expressions of respect such as “We take the protection of your personal data very seriously…” are not sufficient to comply with legal regulations. The website user must recognize that consent under data protection law is required for the processing of personal data.
At first glance, the website user must at least be able to see who is responsible for the website, which services are integrated into the website, which companies operate these services and whether data is being transferred to third countries. This information must therefore not be hidden in detail pages.
The website user must be able to recognize the scope of the data processing and their consent. The information required for this is very extensive, so it does not have to be visible at first glance, but it must not be more than a click away, e.g. on a “All details” button.
The still often read phrase “By continuing to surf, you agree to the data processing” is illegal. Merely continuing to surf does not constitute a legally valid consent.
Consent must be given through proactive action by the website user (e.g. actively ticking an empty checkbox).
The checkboxes must therefore be preset to “not activated”.
Each service must be individually selectable. Similar services can be segmented into groups and selected together, as long as these services can still be selected individually.
Hiding the choice on a second level is not enough. The selection of individual services must be just as easy as consent to all services. If the user has to make one more click to get to the selection, that’s already illegal.
Services that are absolutely technically necessary for the operation of a website do not require consent and therefore do not require a separate selection option.
Thinking it through to the end, this means: a website that only has essential services does not need a cookie pop-up.
An equivalent graphic design of the “Agree button” and the “Reject button” is a prerequisite for legally compliant consent.
Psychological tricks like a bright green “Agree button” with a light gray “Reject button” on a light gray background or even with a tiny, barely visible “Reject link” are illegal.
Refusing to give consent should be as easy as clicking the “Reject” button, clicking “Close (X)” and clicking the gray overlay next to the cookie banner.
Since consent can be revoked, a corresponding revocation option must be implemented. Withdrawal of consent must be possible at any time and as simple as the consent itself.
Ideally, the cookie pop-up is loaded again so that the website user can change their settings.
After revocation of the consent, the data processing must be stopped and the services deactivated.
Ideally, a page reload occurs so that the services are no longer running and no new data is collected. If the services only process the data anonymously, then everything is done.
The website user’s information about the data processing must not be “outsourced” by linking to the data protection declaration. Links to other data protection declarations are therefore of no use.
Data protection law is extremely complex – we make it easy for you