Newsletter 2021/12

The German TTDSG law is only a few days old and the first ruling is already out: The cookie banner provider “Cookiebot” has been declared illegal by the Wiesbaden Administrative Court. The RheinMain University of Applied Sciences was sentenced here in an urgent procedure not to continue using the service.

Background: Cookiebot uses servers located in Europe, but since these servers belong to a US provider, the US Cloud Act applies. This allows US authorities to access the servers. Data that is stored on these servers is therefore not secure and Cookiebot therefore does not store this data in a GDPR-compliant manner. The use of Cookiebot is therefore ultimately illegal.

The verdict is groundbreaking and indirectly also affects other providers: In a first small test, we found US services in use at all important CMPs and cookie banner providers: Usercentrics, SourcePoint, OneTrust, Didomi, CookieFirst, Iubenda, CookieHub, CookieYes and others also use services such as Amazon AWS, Google Cloud, Microsoft Azure, Cloudfront, Akamai and other services from US companies. As a logical conclusion from the “Cookiebot judgment”, the cookie solutions of these companies are also illegal.

However, nothing will change for consentmanager’s customers: We have always relied on purely European providers without headquarters in the USA and without US parent companies. consentmanager is therefore not affected by the Cookiebot ruling.

Log4j – security hole?

A security hole in a widely used Java library called Log4j also caused a stir this month. A final check is currently still running, since we do not use any Java-based components at consentmanager, we are currently assuming that consentmanager’s systems will continue to be secure and are not affected by this issue..

More features and changes

This month we have taken care of many small points from our roadmap. The most important concern the design settings, bug fixes for blocking, security functions, reporting and much more.

Code change necessary

The IAB updated the IAB TCF Standard and removed several features (e.g. global scope, OOB and domain). We have therefore made the corresponding settings in our system. As the domain will be removed by the IAB (timeline not yet set), we have updated the stub code (code part that is integrated into your website) in order to reflect the domain change. The new codes will use the domains * and * instead. We expect the sunset phase for these domain changes to be 1 year or longer, but encourage clients to already now start updating their codes once this release is out.


  • Deprecated:  dataLayer.cmpVendorsConsent / dataLayer.cmpCustomVendorsConsent – use  dataLayer.cmpConsentVendors instead. Fields will are now removed with this update! 

Release log

With the current release we have applied the following changes:

  • CMP-822 Design: Add position bottom left option
  • CMP-596 Auto. assign vendors to classic categories
  • CMP-988 Crawler issue accept with whitelabel-domains
  • CMP-810 Issue reporting rights
  • CMP-559 Info mail to user if cc expires
  • CMP-971 Remove https:// from whitelist/blacklist ignore/ignore path input on save
  • CMP-968 Add info texts for CMP setting whitelist/blacklist & ignore domain/path
  • CMP-951 Set consent mode status before wait timeout
  • CMP-961 Add lazy loading to all images in CMP layer
  • CMP-298 Use account language as default translation
  • CMP-861 Add user right for texts
  • CMP-958 Add support for re-activating script with nonce
  • CMP-578 Benchmark: add categories
  • CMP-775 Add public API for window.cmpmngr.callLazyLoad()
  • CMP-834 WP Plugin: Logo wrong path if /wp-config/ has different name
  • CMP-503 Fix reporting logic
  • CMP-389 Set styles of cmpbox in order to prevent override by website
  • CMP-936 Toggles on EU-Data transfer page dont work
  • CMP-962 Issue Age verification doesnt call callback on custom settings
  • CMP-989 Issue toggle in middle position
  • CMP-990 Separate purposes from features for TCF
  • CMP-991 Add option to dont show toggles for special purposes
  • CMP-992 Add option to show vendor toggles only in “all vendors” list
  • CMP-995 Add option to remove all old choices
  • CMP-598 Additional languages
  • CMP-855 Change order of password change
  • CMP-818 Add smaller default designs
  • CMP-823 Add more default designs
  • CMP-870 App reports issues
  • CMP-893 Add “–” to age list
  • CMP-966 Toggle always On for data transfer outside EU

Not sure if you need a CMP?

If you are unsure if your company needs a CMP or not, please get in touch with us – we will help you find the right solution for your company!

Get In Touch