Am Holzacker 47

91126 Schwabach

0911-98206250

Contact us!

Designing consent solutions for cookies

Publication:

According to the landmark ruling of the ECJ of 01.10.2019 (Case C-673/17), all technically unnecessary cookies are subject to a consent requirement of the visitor. Demands are also made on the design of the consent solution.

Designing consent solutions for cookies

What are technically unnecessary cookies?

Basically, this category includes all cookies that are not technically necessary for the operation of a website and the provision of specific functions of a website. In particular, this includes all cookies from third-party providers that are used to track the surfing behavior of site visitors for marketing, market research, market analysis or cooperation purposes.

Therefore, the following cookies are subject to consent:

  • Cookies from tracking and analysis tools
  • Cookies for affiliate services
  • Cookies for remarketing services
  • Cookies for retargeting services
  • Cookies of the social media plugins (Facebook, Instagram, LinkedIn, Pinterest, Twitter)
  • Cookies from video embedding applications (Vimeo, Youtube)
  • Cookies of scalable central measurement methods (SZM)
  • Online mapping services such as Google Maps and OpenStreetMaps

What are technical necessary cookies?

Technically necessary cookies are all those that are required for the operation of a website and its functions. These are not subject to consent. They do not have to be displayed as a consent option in a banner or settings window when the page is called up. A mention in the privacy policy is sufficient - but this must be present!

Technically necessary cookies that do not require consent apply:

  • Session cookies that store the user's settings (e.g. shopping carts, language settings or log-in data)
  • Flash cookies for media content playback
  • Cookies that are set by integrated payment service providers (regardless of a concrete payment) - provided that they do not analyze any usage behavior, but serve exclusively to prepare possible payments or to check a payment authorization
  • Opt-out cookies, which can be used to revoke cookie consent

Furthermore, the obligation to give consent does not apply (pursuant to Art. 5(3) of the Cookie Directive 2002/58/EC) if the sole purpose for setting the cookie is to carry out the transmission of a message via an electronic communications network.

Cookies from the following sources are therefore not subject to consent

  • Live chat systems and
  • Messenger services

Are there any technical and design requirements for cookie banners or consent?

In practice, so-called "cookie banners" or "cookie consent tools" have proven their worth in implementing the legal requirements. Here, an upstream query is displayed when the respective website is called up for the first time and the visitor can agree to the use accordingly.

However, technical and design points must be taken into account:

  1. Choice and information about the respective cookies

    - each cookie must be listed
    - each party involved must be disclosed accordingly - also the purpose for which the respective cookie is set

  2. No cookie use before consent

    It may no cookies preactivated or run in the background. All cookie scripts must be blocked.

  3. Logging & storage of the respective consent

    So-called "indirect user identification" is sufficient to fulfill the consent-related obligation to provide evidence. Here, the decision of a data subject for or against all individual cookie consents is stored on his or her end device. The use of a user ID or other unique identification is not required. This method is sufficient as proof - it has the advantage that the data subject will no longer be shown the corresponding banner or tool when the website is called up again.

  4. Revocation possible and must be feasible

    Any consent must be revocable and simple. A "one-click revocation option" should be implemented - for example, via the privacy policy or a "Cookie settings" menu item / button

What about tracking tools such as Google Analytics?

All tracking tools that are cookie-based and set cookies that are not technically necessary are subject to consent. This also applies to Google Analytics and similar systems.

Can I check if my website uses cookies?

Yes - in principle, a check is possible. This can be done via the browser, via special websites or via special apps or software solutions (e.g. Maxa Cookie Manager, Ghostery, etc.) possible.

There are some tools online that can be used to check a website regarding the use of cookies. These include for example cookiemetrix.com and dataskydd.net.

If you have had your website programmed or are unsure which cookies are used, you should check this - often components such as the use of Google maps, incorrect use of Youtube videos, the use of a banner (for example ratings, etc.) or the use of special fonts (for example Google fonts) are overlooked. This leads to a risk that the data protection view of the website is risky or that the privacy policy is wrong.

What does this mean for me as a website operator?

We recommend that all website operators who do not have adequate solutions (according to the above standards) for technically unnecessary cookies disable all affected cookie-based applications until further notice (for example, Google Analytics). The solution commonly used to date, which simply displays a notice such as "This website uses cookies..." or similar, is insufficient and very risky from a legal perspective.

In case of doubt, we advise our customers, until the further definition or clarification of the individual solution A shutdown of the corresponding services.

This is the only way to avoid legal risks.

Statistics