Why legalweb is one of the TOP GDPR solutions 

Since the end of 2019, website operators have come to realize that third-party services can generally only be carried out with the prior consent of the website user.

The tools place maximum value on legally correct implementation. We do not offer features that are legally highly controversial or even illegal. But what does that mean in concrete terms?

Lawyer Peter Harlander, co-founder of and data protection expert, shows in this article what the courts and data protection authorities believe is important when it comes to cookie pop-ups and data protection declarations:


Cookies vs. data processing

The term “cookie pop-up” is misleading. Website operators must ensure that the consent not only includes the setting of cookies that require consent, but also all processing processes that require consent, such as procedures for tracking users using web beacons or browser fingerprinting.

Applicable law

Despite the GDPR, there are legal differences between the EU countries. For example, Austria has fully implemented the E-Privacy Directive, while Germany has not. Cookie pop-up and privacy policy must take these differences into account. Which law applies depends on the seat of the website operator.


The cookie pop-up and privacy policy must be available in all website languages. This generally applies to all legal texts on a website.

Imprint Data Protection

The links to the imprint and the data protection declaration must also be retrievable before consent is given, especially in the case of a cookie banner designed as an overlay.

In addition, the website operator must ensure that these pages are not blocked by the cookie banner and that no third-party data is collected when these pages are accessed.

No data processing before consent is given

The website operator must ensure that when the website is called up, only the data of the website user that is essential for the operation of the website is processed.

In particular, data processing by external services (e.g. analysis tools, remarketing tools, video services, map services) may only take place with the prior, informed, clear and voluntary consent of the website user.

Likewise, local services may require consent if the level of intervention is appropriate (e.g. profiling, user-specific content, mouse tracking).


Clear, non-misleading texts

Mere expressions of respect such as “We take the protection of your personal data very seriously…” are not sufficient to comply with legal regulations. The website user must recognize that consent under data protection law is required for the processing of personal data.

At first glance

At first glance, the website user must at least be able to see who is responsible for the website, which services are integrated into the website, which companies operate these services and whether data is being transferred to third countries. This information must therefore not be hidden in detail pages.

All details

The website user must be able to recognize the scope of the data processing and their consent. The information required for this is very extensive, so it does not have to be visible at first glance, but it must not be more than a click away, e.g. on a “All details” button.

Necessary minimum information:

Checkboxes & Buttons

Proactive Consent

The still often read phrase “By continuing to surf, you agree to the data processing” is illegal. Merely continuing to surf does not constitute a legally valid consent.

Consent must be given through proactive action by the website user (e.g. actively ticking an empty checkbox).

No preselection

The checkboxes must therefore be preset to “not activated”.

Individually selectable

Each service must be individually selectable. Similar services can be segmented into groups and selected together, as long as these services can still be selected individually.

Hiding the choice on a second level is not enough. The selection of individual services must be just as easy as consent to all services. If the user has to make one more click to get to the selection, that’s already illegal.

Exception: essential services

Services that are absolutely technically necessary for the operation of a website do not require consent and therefore do not require a separate selection option.

Thinking it through to the end, this means: a website that only has essential services does not need a cookie pop-up.


An equivalent graphic design of the “Agree button” and the “Reject button” is a prerequisite for legally compliant consent.

psycho tricks

Psychological tricks like a bright green “Agree button” with a light gray “Reject button” on a light gray background or even with a tiny, barely visible “Reject link” are illegal.

Refusal to give consent

Refusing to give consent should be as easy as clicking the “Reject” button, clicking “Close (X)” and clicking the gray overlay next to the cookie banner.


possibility of revocation

Since consent can be revoked, a corresponding revocation option must be implemented. Withdrawal of consent must be possible at any time and as simple as the consent itself.

Ideally, the cookie pop-up is loaded again so that the website user can change their settings.

Consequences of revocation

After revocation of the consent, the data processing must be stopped and the services deactivated.

Ideally, a page reload occurs so that the services are no longer running and no new data is collected. If the services only process the data anonymously, then everything is done.

Data protection


The website’s privacy policy and the “Full details” texts of the cookie pop-up must be precisely aligned. Ideally, the cookie banner and the privacy policy are generated using the same tool.


The website user’s information about the data processing must not be “outsourced” by linking to the data protection declaration. Links to other data protection declarations are therefore of no use.


Data protection law is extremely complex – we make it easy for you

Test now for 14 days free of charge

Make your website legally secure today!

The controller (legal web GmbH, Austria) would like to use the following services in order to process your personal data. This is not necessary for the use of the website, but allows us to interact with you more closely. Please select, if appropriate, the following options: