Whether a cookie banner complies with the GDPR or not is no longer a matter of interpretation. On the contrary: since the German Bundesgerichtshof (BGH) ruled on the Planet49 case, there have been clear announcements from the courts at the latest. The “Verbraucherzentrale Rheinland Pfalz” (the Consumer Representation of the German federal state Rheinland Pfalz) has now reviewed the cookie banners from 50 websites – and issued warnings to five companies for various reasons.
Setting cookies that are not necessary or functional is only permitted with the consent of users. This is the reason why anyone who wants to collect data for marketing purposes must ask their users for permission in advance (BGH ruling of May 28, 2020). And website operators can’t just do it the way they want, they need to gather consent according to very specific criteria.
For more information, see “7 Criteria for a GDPR-compliant consent”.
Which companies were affected? And why did they get a warning?
Consequence: The company reacted promptly and already promised a change in an out-of-court settlement. In the meantime, the banner has been made more consumer-friendly.
Reason for the warning: The Deichmann website only contained a non-functional cookie notice, which users could hide by clicking on an “OK” button. In addition, there was neither a corresponding reject button nor granular selection options.
Consequence: After receiving the warning, Deichmann redesigned the banner accordingly.
⚠ Finanztreff & Doodle
Reason for the warning: Both websites used preset checkboxes or sliders on their cookie banner. Users had to deactivate these so that their data would not be passed on to third parties for advertising purposes.
Consequence: Both Finanztreff and Doodle issued the required cease and desist declaration and redesigned their cookie banners accordingly.
Reason for the warning: Tripadvisor was using a non-functional cookie banner and interpreted the mere use of the page as consent to the setting of technically unnecessary cookies. Thus, Tripadvisor interpreted scrolling, surfing on the website or clicking a button as consent. The fact that the cookie banner was very small was also criticized, which possibly made some users overlook it altogether.
Consequence: After a warning by the consumer advice center, Tripadvisor completely redesigned its Cookie Banner.
5 mistakes businesses should avoid when creating a cookie banner
1. No reject-all button in the first layer
⇨ The GDPR requires that user consent must be given voluntarily. This means that the user must always also have the option to object to the use of their data via a decline-button.
Important here: The opt-out must be just as easily and accessible as the opt-in. And the user must not suffer any disadvantage as a result of an opt-out, i.e. the page must still be usable for him in the same way.
2. Pre-checked ticket boxes or sliders
⇨ According to the GDPR, the user must actively consent to the use of marketing cookies and similar technologies. The opt-in obligation therefore applies here.
Pre-checked boxes that have to be unchecked are therefore non-compliant with the GDPR and do not lead to effective consent. This was also clearly confirmed by the Federal Supreme Court in its Planet49 ruling in May 2020.
3. No granular option to opt-in/opt-out of services
⇨ The user must be able to make an informed and granular opt-in decision. They must be able to take a look at all cookies and technologies used in detail and select granularly – i.e. individually – which they agree to or not. The simplest option to offer the user such a GDPR-compliant cookie banner is via a Consent Management Platform (CMP).
4. “Implicit consent” obtained through further use of the website
⇨ Non-functional cookie banners, i.e. banners where cookies are set by default and only a “pseudo consent query” takes place, do not comply in any way with the requirements of the GDPR for valid consent. If only an “OK” button is displayed, this also contradicts the requirement of voluntariness, among other things, because no option to select is given.
For more info on how to set up your cookie banner correctly with the Usercentrics CMP, feel free to contact our experts.
Which tricks you should rather refrain from, is explained here: “Obtaining user consent: these 5 tricks are not GDPR-compliant”.
Setting up a cookie banner in a way that as many users as possible consent to the use of their data is not rocket science. Especially not if you do it without regard to the current legal situation, e. g. by resorting to pre-checked boxes or not even offering a reject all-button in the first place.
Yes it’s true, such nudging methods are effective and increase opt-in rates. But in the end, they don’t pay off. Because only data that was obtained in a GDPR-compliant manner, is valuable data and may be used for marketing purposes.
So instead of risking high fines or a warning notice and putting users’ trust in your brand at risk, it makes perfect sense to prepare a future-proof data strategy in good time. Because one thing is clear: The GDPR isn’t going away, the laws are getting tougher, and the data protection authorities are no longer looking the other way. But – and this is the good news – it’s not the end of the world – because even with a correctly set up cookie banner (e.g. with the help of a Consent Management Platform (CMP)) there are fully GDPR-compliant tricks to significantly increase your opt-in rate. You can find out exactly how to do this in our free whitepaper about “Opt-in Optimization”.
Your company does not yet have a GDPR-compliant cookie banner in place?