Ready for the new Google Consent Mode v2? Learn more »
Legal

Important ruling: Provider “Cookiebot” violates data protection


UPDATE: This article was published on December 6, 2021. In the meantime, the decision of the VG Wiesbaden against Cookiebot was overturned by the VGH Kassel: However, not because the use of Cookiebot had now been declared lawful, but for purely procedural reasons (there was no urgency to issue an interim injunction and the court of first instance had no jurisdiction). We do not know whether a main action has been filed against Cookiebot.


In a groundbreaking decision , the Wiesbaden Administrative Court found that the Provider Cookiebot is not data protection compliant . In the process, the RheinMain University of Applied Sciences was prohibited from using the provider on its own website.

Screenshot of the Wiesbaden Administrative Court's website about the Cookiebot ruling

The background

The proceedings before the Wiesbaden Administrative Court (case number: 6 L 738/21.WI) were essentially about whether or not the RheinMain University of Applied Sciences uses a GDPR-compliant cookie banner on its website www.hs-rm.de. Ultimately, this is particularly about the question of whether a website can be GDPR compliant at all if the “Cookiebot” tool is used.

The decision

The court has now answered this question in the negative: The website of the RheinMain University is not allowed to use the Cookiebot cookie banner – the court thus declares the provider Cookiebot not to be compliant with data protection regulations.

The university is obliged to end the integration of the “Cookiebot” service on its website, as this is associated with the illegal transmission of personal data of the website users and thus in particular of the applicant.

Administrative Court of Hesse, VG Wiesbaden

The reasoning

As a provider of cookie banners, Cookiebot processes personal data, such as the IP address or browser information of the visitor. The servers for this data processing are located at a provider whose company headquarters is in the USA (Cookiebot rents these servers). This results in a reference to a third country, which is inadmissible with regard to the so-called Schrems II judgment of the European Court of Justice. This means that data is sent to a company where it is not adequately protected from access by US authorities such as the NSA or FBI.

Simply put: By using Cookiebot and the associated transfer of data to the USA, US authorities could access data from European users. The use of Cookiebot is therefore not legal and must therefore be removed from the university’s website.

The consequences

The judgment is groundbreaking and thus also affects the Cookiebot WordPress plugin and indirectly also other providers: In a first small test, we found US services in use at all important CMPs and cookie banner providers:

Usercentrics, SourcePoint, OneTrust, Didomi, CookieFirst, Iubenda, CookieHub, CookieYes and others also use services like Amazon AWS, Google Cloud, Microsoft Azure, Cloudfront, Akamai and other services from US companies.

In one fell swoop, 90% of German and international websites could be non-GDPR compliant and there is an urgent need for action.

our recommendation

Therefore, you better trust consentmanager : We rely (and have always done) on purely European providers with no roots in the USA. All data is hosted exclusively in the EU – without the risk of bans, warnings and fines due to Schrems II violations, as is now the case with Cookiebot.


more comments

Webinar-GCM-v2-with-Google-and-consentmanager
General, News, Videos

Webinar: Google Consent Mode v2 with Google and consentmanager

Join our exclusive webinar hosted by consentmanager in collaboration with Google on June 12, 2024 at 11:00 CET. Due to high demand for information on the latest Google requirements, this webinar will help you better understand Google Consent Mode v2. Dennis Gingele from Google and Jan Winkler from consentmanager will present the essential facts and […]
Image for the anniversary of the GDPR on 25 May with
Legal

6 years of GDPR: A celebration of its far-reaching impact

We are approaching the sixth anniversary (May 25, 2024) of the General Data Protection Regulation (GDPR), which has influenced data protection standards around the world since it came into force on May 25, 2018. The GDPR has not only fundamentally changed the security and management of personal data, but has also strengthened the rights of […]