Newsletter 12/2021

The TTDSG is only a few days old when the first verdict comes with a bang: The cookie banner provider “Cookiebot” was declared illegal by the Administrative Court of Wiesbaden. In summary proceedings, the RheinMain University of Applied Sciences was ordered to stop using the service.

Background: Cookiebot uses servers located in Europe, but since these servers belong to a US provider, the US Cloud Act applies here. This enables the US authorities to access the servers. Data stored on these servers is therefore not secure and Cookiebot therefore does not store this data in a GDPR-compliant manner. The use of Cookiebot is ultimately illegal.

The verdict is groundbreaking and thus also indirectly affects other providers: In a first small test, we found US services used by all important CMPs and cookie banner providers: Usercentrics, SourcePoint, OneTrust, Didomi, CookieFirst, Iubenda, CookieHub, CookieYes and others also use services such as Amazon AWS, Google Cloud, Microsoft Azure, Cloudfront, Akamai and other US company services. As a logical conclusion from the “Cookiebot verdict”, the cookie solutions of these companies are also illegal.

However, nothing will change for consentmanager customers: We have always relied on purely European providers without a registered office in the USA and without US parent companies. consentmanager is therefore not affected by the Cookiebot verdict.

Log4j – Vulnerability?

Also causing a stir this month was a vulnerability in a widely used Java library called Log4j. A final check is still ongoing, since we do not use any Java-based components at consentmanager, we currently assume that the consentmanager systems are still secure.

More new features and changes

In particular, this month we have completed many small points from our roadmap. The main ones concern theme settings, blocking fixes, security features, reporting, and more.