Ready for the new Google Consent Mode v2?Jetzt mehr erfahren »

Important verdict: Provider “Cookiebot” declared illegal

In a groundbreaking judgment, the Administrative Court of Wiesbaden declared the provider Cookiebot illegal. In the process, the RheinMain University of Applied Sciences was prohibited from using the provider on its own website.

Screenshot of the Wiesbaden Administrative Court's website about the Cookiebot ruling

The background

The proceedings before the administrative court in Wiesbaden (Az.: 6 L 738/21.WI) were basically about whether the RheinMain University of Applied Sciences uses a GDPR-compliant cookie banner on its website or not. Ultimately, this is about the question of whether a website can become GDPR-compliant at all if you use the “Cookiebot” tool.

The decision

The court has now answered this question in the negative: The website of the RheinMain University of Applied Sciences is not allowed to use the Cookiebot cookie banner – the court thus declares the provider Cookiebot to be illegal.

The university is obliged to end the integration of the “Cookiebot” service on its website, as this is associated with the illegal transmission of personal data of the website users and thus in particular of the applicant.

Administrative Court of Hesse, VG Wiesbaden

The reasoning

As a provider of cookie banners, Cookiebot processes personal data, such as the IP address or browser information of the visitor. The servers for this data processing are located at a provider whose company headquarters is in the USA (Cookiebot rents these servers). This results in a reference to a third country, which is inadmissible with regard to the so-called Schrems II judgment of the European Court of Justice. This means that data is sent to a company where access by US authorities such as the NSA or FBI is not sufficiently protected.

Simply formulated: By using Cookiebot, US authorities could access data from European users. The use of Cookiebot is therefore illegal and should therefore be removed from the university’s website.

The consequences

The judgment is groundbreaking and thus also affects the Cookiebot WordPress plugin and indirectly also other providers: In a first small test, we found US services in use at all important CMPs and cookie banner providers:

Usercentrics, SourcePoint, OneTrust, Didomi, CookieFirst, Iubenda, CookieHub, CookieYes and others also use services like Amazon AWS, Google Cloud, Microsoft Azure, Cloudfront, Akamai and other services from US companies.

In one fell swoop, 90% of German and international websites are basically not GDPR-compliant and there is an urgent need for action.

our recommendation

It is therefore better to trust consentmanager: We (always) rely on purely European providers without roots in the USA. All data is hosted exclusively in the EU – without the risk of bans, warnings and fines due to Schrems II violations, as is now the case with Cookiebot.

more comments


Newsletter 02/2024

DSA came into force: Does the Digital Services Act apply to your company?  In our latest article, we look at the critical updates and expanded obligations for more online sites brought about by the Digital Services Act (DSA), a key component of the EU Commission’s ‘Europe fit for the digital age’ initiative. The DSA has […]
Digital Services Act

Does the Digital Services Act (DSA) also apply to your company? Online platforms have additional obligations

The Digital Services Act sets additional transparency requirements for online platforms. The definition of an online platform under the DSA may apply to your business. As a result, you may be required to comply with the additional transparency requirements of the DSA. Read on to find out if your business falls into this category and […]