Ready for the new Google Consent Mode v2? Learn more »
General

Cookie Banner – the legal and technical background


Using cookie banners in compliance with data protection is one of the major challenges for website operators. If cookie banners are to be designed in accordance with the GDPR, website users must be able to agree to the processing of personal data or be able to reject it with the help of the cookie banner. But what do you have to consider if you want to use cookie banners or cookie content banners? What rules apply to the use of cookies? What does the cookie banner text have to look like? How do cookie banners have to be designed technically and legally?

Consent solution for mobile websites and apps

Cookie banner – personal data is saved

Cookies are used to process personal data. This means small pieces of text information are stored on the Internet user’s device . The user or his devices can be assigned individually in this way. This is used, for example, for tracking. With tracking, the behavior of the user is tracked. The IP address, the browser fingerprint or other criteria can be used for this tracking. Because personal data is processed, a cookie must comply with the GDPR. Data protection law applies here and the cookie banner text must also be designed accordingly.

What are cookies actually?

Cookies are basically text files that are stored by the provider of a website on the user’s computer or other end device. When you visit the website again, these text files are read out again in order to facilitate navigation in the network or transactions , and to analyze information about the behavior of website visitors. Examples of how cookies work are:

  • The website visitor is identified, recognized and receives customized advertising.
  • A user’s login data is saved so that they do not have to be re-entered when they visit again. This makes it easier to log back into Facebook, for example.
  • the products placed in the shopping cart are saved.
 

Stay up to date!

Subscribe to Newsletter

Basically, there are different types of cookies. The most important difference is that there are technically necessary and technically non-essential text files . These two variants are legally treated differently. Cookies that are essential for the operation of a website are considered technically necessary. Cookies are considered technically unnecessary if they are used to pursue economic interests. These include, for example:

  • Cookies from social media plugins (Twitter, Facebook, Google+, Instagram, Pinterest, LinkedIn)
  • Cookies from video embedding applications, such as Youtube
  • Affiliate Services Cookies
  • Cookies from retargeting services
  • Cookies from remarketing services
  • Online map services such as Google Maps
  • Cookies from SZM (scalable central measurement methods)

You can make another distinction with cookies and divide them into essential cookies, analysis cookies and cookies for marketing purposes.

  • Essential cookies are all cookies that are required for the operation of the website. Consent is not mandatory for this type of cookie.
  • Analysis cookies are cookies for Google Analytics, Matomo or etracker – i.e. tools that analyze visitor behavior. These are usually subject to approval.
  • Marketing cookies are always used when it comes to online advertising. These tools record the interests of website visitors so that customized advertisements can be shown to users on different websites. Facebook Pixel, Google Remarketing and Google Adsense are among these tools. If you want to use these tools, you always need the consent of the website visitor.

Cookie banner – technically necessary and technically non-essential cookies

For a long time, technically necessary cookies could be set without the user’s consent. On the other hand, the consent of the user always had to be obtained for the setting of cookies that were not technically necessary. The law now provides for much stricter regulations . If a cookie is to comply with the GDPR, the user must almost always give their consent. This means that consent must be given for almost all cookies to be set. A cookie banner must therefore not only be available if the cookies are used for advertising purposes, but also if comfort functions are to be fulfilled.

For example, if the user’s language setting is saved, the cookie should be designed in accordance with the GDPR. The legal regulations are intended to ensure that both the personal data of the user is protected and his right to self-determination is preserved. Although a distinction is still made between the setting of technically necessary and technically unnecessary cookies, it is not always possible to clearly distinguish between these two variants. If you want to act in accordance with the law, you should take a conservative approach and use cookie banners with transparent information on the use of cookies . A cookie banner with the corresponding cookie banner text is also useful for cookies that are used to store preferences.

Ist Ihre Webseite konform? Finden Sie es heraus mit unserer Checkliste

Checkliste herunterladen

It can be said with certainty that a declaration of consent should always be obtained for cookies used for marketing, tracking, statistics or analysis. Depending on the type of cookies, cookie banners or cookie consent banners are possible. Basically one can say:

  • If cookies are necessary from a technical point of view, it is sufficient to simply inform the user about the setting of cookies. This means that a pure cookie notice would be possible here.
  • If the consent of the user is required for a cookie according to the GDPR, a cookie notice is not sufficient. The user does not only have to be informed about the setting of cookies. The user’s consent must be obtained. Simple cookie banners that only inform the user do not serve this purpose. A cookie consent banner must be used here.

Since the pure information about the setting of cookies is rarely sufficient, in most cases you will have to resort to a cookie content banner.

What are cookie banners?

When a user visits a website for the first time, a cookie banner usually appears. Usually the cookie banner can be seen at the bottom of the website. In some cases, a pop-up window will also open. The banner contains a cookie banner text that informs the user about the cookies and trackers present on the website. With a cookie consent banner, the user also has the option of giving their consent to the use of cookies. He can agree or refuse the processing of personal data. Thanks to the cookies, Internet users can be recognized when they visit again. This means that if something has been saved in the shopping cart, it will still be available the next time you visit.

Consent solution with individual design

Whenever the user has made individual settings, cookies can ensure that these settings do not have to be made again when visiting the website again. Cookies are necessary for the technical operation of a website. However, there are also non-essential cookies and here the user must have the opportunity to find out about them and to consent to the processing of personal data or to refuse them. It is important to know that the GDPR is not just limited to the use of cookies, other technologies are also included if they are used in any way to process personal data. The term “cookie banner” can therefore be misleading and a simple banner for cookies is not sufficient in many cases if you want to comply with the requirements of the GDPR .

Do I need a cookie banner for my website?

Anyone who runs a website and has visitors from the EU (or from outside) should have a corresponding banner. A cookie banner generator can be very helpful here. The cookie banner generator should design the banners in such a way that the user is fully informed about the cookies and has the opportunity to make a choice. For this purpose, the cookie banner generator must scan all cookies and list them accordingly in the banner. The cookie banner text informs users about the setting of cookies and consent can be obtained. Studies have shown that many website operators are not even aware that their users’ data is being processed by third or fourth parties. For example, there are Trojans whose existence is often not even known to website operators. With a high-performance consent management system, however, pages can be scanned for any cookies from other parties. Anyone who wants to protect their users’ data and ensure that their cookie banner is GDPR compliant needs a sophisticated and in-depth solution. This is the only way to ensure that all cookies and trackers can actually be found and controlled on the website, as required by the GDPR. After all, anyone who does not have an overview of the entire website from a technical and functional point of view cannot guarantee the data protection of users. A cookie banner generator that can play out a cookie banner that complies with the provisions of the GDPR is therefore absolutely necessary for website operators.

What do you have to consider when implementing cookie content banners in practice?

Due to the legal regulations, there are some rules that should be observed when implementing a cookie content banner. If cookie content banners are used, the following points should be considered:

  • Before cookies requiring consent are set, consent must first be obtained. There is still a lot of catching up to do on many websites. It is not enough to use a correct cookie banner text if the technical implementation does not work correctly.
  • Consent is not to be assumed if the user navigates or scrolls on the website. This does not constitute legally compliant consent.
  • If a cookie banner generator is used, it must design the banner in such a way that withdrawing consent is just as easy as giving consent.
  • All cookies for which consent is obtained must be stated in the banner itself or in the cookie policy or privacy statement. The user must be informed to what extent the cookies are processed.
  • Proof is required for the declaration of consent. This proof is provided by setting a necessary cookie. The user must also be informed about the setting of this cookie.
Consent solution for websites

What content should a cookie banner contain?

When it comes to the cookie banner text, there are certain rules. In order to comply with legal requirements, a cookie banner must contain the following:

  • The cookie banner text should provide a first indication of the purpose for which the cookies are used.
  • There must be a reference to the privacy policy. This should contain more information. The data protection declaration should be accessible with one click. On the way to the data protection declaration, no cookies may be set that are not technically necessary.
  • There must be a button available for giving consent and a button for denying consent.
  • The user must have a choice and know the purpose of the cookies to which he should consent. The selection boxes must not be pre-filled, the user must tick them themselves.

Using cookie banners – what does the GDPR have to do with it?

Depending on their use and purpose, cookies can be used to store, analyze and further process personal data. The collected data can also be forwarded to third parties. For this reason, the use of cookies is controversial. Anyone who operates a website should therefore be familiar with terms such as “cookie notice” and “cookie policy”. The GDPR has been in effect since May 25, 2018. The European General Data Protection Regulation always comes into play when it comes to the processing of personal data. Since May 2018, online retailers and website operators have had to implement a cookie notice on their website with the option to object. However, the GDPR says little about how to deal with cookie notices. Rather, the GDPR affects the privacy policy of a website. For the correct handling of cookies, the European ePrivacy Regulation should be launched. This should basically be introduced parallel to the GDPR. However, the ePrivacy regulation has been postponed again and again, so that it has not yet come into force to date (as of March 2021).

Cookie banners are mandatory – what applies to my website?

Website operators and online retailers are rightly asking what this means for their own online presence. So far, the legal situation does not seem to be entirely clear. The GDPR provides information on the data protection declaration, the ePrivacy Regulation is still pending. How should website operators and online retailers behave? Ideally, the cookie banner should be considered mandatory – despite the still inconsistent legal situation. The cookie banner should be designed in such a way that the user has to become active and decide for themselves which cookies they want to accept and which not. The objection solution anchored in the Telemedia Act (TMG) does not go far enough here and it can be legally risky to rely on it alone. If you consider the cookie banner to be mandatory and want to be on the safe side, you should inform website users about which cookies are being used. In addition, the user should have the opportunity to actively decide on the processing of the data. All website operators should adhere to these rules, even if they are supposedly private websites or the website of the sports club. Anyone using a cookie banner provider should ensure that:

  • The user’s consent is obtained directly when the page is accessed. This should be done before cookies are set. Technically necessary cookies can be an exception here.
  • It is not enough if the cookie banner text consists of a simple notice and this disappears immediately after a click on the page or can simply be hidden.

The tick for approval must not be ticked in advance

Ideally, manipulative cookie banners should be avoided. This means it shouldn’t take more clicks to opt out of cookies than to accept them. The accept button should also not be more present than the rejection button. Although it is not forbidden to design cookie banners in this way, it is viewed critically. So-called cookie walls are also viewed critically. A cookie wall is designed in such a way that the user does not even get to the website if he does not agree to the use of cookies. However, the European Data Protection Board (EDPB) sees it as such that a website visitor must be able to visit a website even if he rejects cookies that are not technically necessary.

What belongs in the data protection declaration?

Regardless of whether online retailers and website operators use a cookie banner, they must refer to the processing of personal data in the data protection declaration. Among other things, the data protection declaration should inform users about the type and purpose of the cookies used. The user should learn:

  • What type of data is collected using cookies.
  • For what purpose the personal data is used.
  • How long the data is stored.
  • Whether and to whom the data is passed on.
  • Whether and how to withdraw consent to the processing of personal data.
Consent solution for GDPR and CCPA

Cookie banner tools for a legally compliant design

Designing cookie banners in accordance with the GDPR is not always that easy. In order for the cookie banner or the cookie content banner to be designed in a legally compliant manner, it is advisable to use the appropriate cookie banner tools. A Consent Management Provider (CMP) is a cookie banner tool that takes over the design and provision of the cookie content banner. In principle, every online retailer and every website operator should use an established cookie banner tool, for example from providers such as Consentmanager. There are both free and paid cookie banner tools. Typically, a paid cookie banner tool offers more functionality . These additional features may include, for example, adapting the cookie notices to a specific language . If the cookie banner should also match the design of the website, a fee-based cookie banner tool is also useful. If you want to customize your banner and use additional services, you are well advised to use paid solutions. If you also offer an app in addition to your website, you also need a suitable solution for this.

Using a consent management solution that scans the website to find all cookies and allows users to give their consent to each cookie is a reliable and secure way to make your website compliant with the GDPR shape.

What are the advantages of a consent management tool?

The GDPR applies to all online retailers and website operators. Even if some website operators are still hesitating and wondering whether a GDPR-compliant cookie notice is really necessary, nobody can actually avoid it today. Failure to comply with legal regulations can result in high fines for website operators. The topic of IT in particular is a problem for many entrepreneurs. You don’t know enough about the topic, you invest a lot of time and in the end you’re not sure whether the cookie notice is GDPR-compliant. This is where a consent management tool like the one from Consentmanager.de comes in handy. With this solution, website operators can be sure that they are complying with the EU’s General Data Protection Regulation. With a tool like that offered by consentmanager.de, cookie consent banners can be added to your own website quickly and easily . A GDPR-compliant banner protects website visitors while providing protection from lawsuits . In addition, advertising partners can feel safe and are more likely to invest if they know they are on the safe side.

Conclusion

Do you have an online shop or a website and would like to design your website in accordance with the requirements of the GDPR? Would you like to be protected from warnings? Then the subject of “cookies” should definitely be on your to-do list. Anyone who does not give visitors to their website the opportunity to consent to the processing of personal data risks being warned. A warning can also be associated with high costs. If you would like to use cookies on your website, then use a corresponding consent banner or a cookie consent tool to ensure that the specifications are implemented efficiently and at the same time in compliance with the law. The guidelines for handling cookies and cookie banners on websites are relatively new, which is why there is a lack of experience, precedent and clear regulations. With the consent management tool from Consentmanager.de, website operators play it safe. Our consent management tool is easy to use and can be easily integrated into websites. So you can be sure that users are well informed about the use of cookies. And on the other hand, the consent for the use is obtained in accordance with the law.


more comments

Webinar-GCM-v2-with-Google-and-consentmanager
General, News, Videos

Webinar: Google Consent Mode v2 with Google and consentmanager

Join our exclusive webinar hosted by consentmanager in collaboration with Google on June 12, 2024 at 11:00 CET. Due to high demand for information on the latest Google requirements, this webinar will help you better understand Google Consent Mode v2. Dennis Gingele from Google and Jan Winkler from consentmanager will present the essential facts and […]
Image for the anniversary of the GDPR on 25 May with
Legal

6 years of GDPR: A celebration of its far-reaching impact

We are approaching the sixth anniversary (May 25, 2024) of the General Data Protection Regulation (GDPR), which has influenced data protection standards around the world since it came into force on May 25, 2018. The GDPR has not only fundamentally changed the security and management of personal data, but has also strengthened the rights of […]