Non-compliant Cookie Banner: why 5 big German companies have now been issued warnings

Whether a cookie banner complies with the GDPR or not is no longer a matter of interpretation. On the contrary: since the German Bundesgerichtshof (BGH) ruled on the Planet49 case, there have been clear announcements from the courts at the latest. The “Verbraucherzentrale Rheinland Pfalz” (the Consumer Representation of the German federal state Rheinland Pfalz) has now reviewed the cookie banners from 50 websites – and issued warnings to five companies for various reasons.

LEGAL BACKGROUND

Setting cookies that are not necessary or functional is only permitted with the consent of users. This is the reason why anyone who wants to collect data for marketing purposes must ask their users for permission in advance (BGH ruling of May 28, 2020). And website operators can’t just do it the way they want, they need to gather consent according to very specific criteria.

For more information, see “7 Criteria for a GDPR-compliant consent”.

⚠ Chefkoch.de

Reason for the warning: The cookie banner obscured the imprint and privacy policy. In addition, users might have been tricked into thinking they only had the option of agreeing to cookies. 

Consequence: The company reacted promptly and already promised a change in an out-of-court settlement. In the meantime, the banner has been made more consumer-friendly.

⚠ Deichmann

Reason for the warning: The Deichmann website only contained a non-functional cookie notice, which users could hide by clicking on an “OK” button. In addition, there was neither a corresponding reject button nor granular selection options. 

Consequence: After receiving the warning, Deichmann redesigned the banner accordingly.

⚠ Finanztreff & Doodle

Reason for the warning: Both websites used preset checkboxes or sliders on their cookie banner. Users had to deactivate these so that their data would not be passed on to third parties for advertising purposes.  

Consequence: Both Finanztreff and Doodle issued the required cease and desist declaration and redesigned their cookie banners accordingly.

⚠ Tripadvisor

Reason for the warning: Tripadvisor was using a non-functional cookie banner and interpreted the mere use of the page as consent to the setting of technically unnecessary cookies. Thus, Tripadvisor interpreted scrolling, surfing on the website or clicking a button as consent. The fact that the cookie banner was very small was also criticized, which possibly made some users overlook it altogether.

Consequence: After a warning by the consumer advice center, Tripadvisor completely redesigned its Cookie Banner.

1. No reject-all button in the first layer

⇨ The GDPR requires that user consent must be given voluntarily. This means that the user must always also have the option to object to the use of their data via a decline-button. 

Important here: The opt-out must be just as easily and accessible as the opt-in. And the user must not suffer any disadvantage as a result of an opt-out, i.e. the page must still be usable for him in the same way.

2. Pre-checked ticket boxes or sliders  

⇨ According to the GDPR, the user must actively consent to the use of marketing cookies and similar technologies. The opt-in obligation therefore applies here.

Pre-checked boxes that have to be unchecked are therefore non-compliant with the GDPR and do not lead to effective consent. This was also clearly confirmed by the Federal Supreme Court in its Planet49 ruling in May 2020.

3. No granular option to opt-in/opt-out of services

⇨ The user must be able to make an informed and granular opt-in decision. They must be able to take a look at all cookies and technologies used in detail and select granularly – i.e. individually – which they agree to or not. The simplest option to offer the user such a GDPR-compliant cookie banner is via a Consent Management Platform (CMP).

4. “Implicit consent” obtained through further use of the website

⇨ Non-functional cookie banners, i.e. banners where cookies are set by default and only a “pseudo consent query” takes place, do not comply in any way with the requirements of the GDPR for valid consent. If only an “OK” button is displayed, this also contradicts the requirement of voluntariness, among other things, because no option to select is given.

5. Hidden imprint or privacy policy

⇨ Regardless of whether the cookie banner is displayed in the form of a wall (in the middle of the page) or as a banner at the bottom, the imprint and privacy policy of the website must not be hidden under any circumstances. To be on the safe side, it is a good idea to place a link to the imprint and privacy policy directly in the cookie banner.

For more info on how to set up your cookie banner correctly with the Usercentrics CMP, feel free to contact our experts.

Which tricks you should rather refrain from, is explained here: “Obtaining user consent: these 5 tricks are not GDPR-compliant”.