Part of our work at consentmanager is to see what the market is doing. That’s why we took the top 100 German online shops and looked at where, when and which cookies are set and what kind of cookie banners are used. The result: there is pent-up demand.

In top 80 cookies without consent

For the analysis, we took the list of the top 100 online shops with the highest turnover in 2020 from EMI and called up each shop individually with the Chrome browser in incognito mode. Our expectation was to see maybe a handful of cookies on the pages on average – the result of the treatment of data protection in these online shops was more than sobering:

Out of 100 pages, there was not a single cookie on only 2 pages, but there were more than 30 cookies on 15 pages – without having clicked on the consent button, mind you. The (sad) peak is occupied by a fashion retailer who sets a full 80 cookies before the visitor has consented – even though a cookie banner is shown on the site that allows the refusal. Even the average is significantly higher than we expected at around 16 cookies (before approval) per shop . Even if the shops were to say that many cookies could be “functional” and “essential” – are 16 cookies really necessary for that?

“Homemade” brand cookie banner

We were also surprised by the number of shops that preferred to build their own cookies or use ready-made scripts from the Internet instead of a professional cookie solution. Around 40% of the online shops surveyed were using a homemade cookie banner. The result is correspondingly poor here: only very few were designed to be GDPR/ePrivacy compliant.

Nicely designed but not compliant

Unfortunately, there are only a few positive examples. Although some shops block third-party providers in an exemplary manner, they are not completely complete when it comes to communication in the consent layer. In the majority of cases, there is a lack of basic information, such as which providers are used, which purposes are being pursued or which legal bases are being used. Very few shops actually list cookies and the majority list purposes but no providers.

Some websites do make an effort with the graphic design – but too often the focus seems to be on urging the visitor to click on “Accept”. For example, a music store uses a funny cookie banner, but here, too, there is a lack of equal treatment between acceptance and rejection:

The Regional Court of Rostock recently warned that an equal representation of acceptance and rejection is important. However: Of the 100 online shops we examined, we were only able to find one where the rejection is structured in the same way as the acceptance. For 50 shops there was no direct option to refuse, just a “Settings” button or link. A total of 8 shops also had a cookie banner on which there was neither a settings nor a reject button or link.

negative examples

Among the many online shops there is a lot that is done right – but unfortunately there are also many shops that seem to be still living in the pre-GDPR era. Here are some negative examples of how not to do it:

Conclusion

In conclusion, the German online trade is unfortunately very disappointing. According to Statista, each of these companies has generated annual sales of more than EUR 70 million – but at the same time only a handful of online shops manage to display an approximately GDPR-compliant consent layer. In this respect: Dear online shops, please urgently improve the need to catch up 🙂

If you want to know what a cookie banner should at least contain for online shop data protection, you can find some information in our GDPR online shop checklist .