The most important facts in brief:
- Cookie notice obligation as standard for websites
- Basis: General Data Protection Regulation (GDPR)
- Either cookie banner or active consent required (opt-in)
- Numerous variants such as WordPress plug-ins available
- Operate legally compliant websites and comply with the General Data Protection Regulation
- Flag tracking cookies
Definition:
A cookie banner or cookie notice on websites with the option to obtain the active consent or refusal of tracking of visitors/users is prescribed by the European Union and defined within Germany by the Telecommunications Telemedia Data Protection Act and additionally by the General Data Protection Regulation (GDPR).
What are cookies anyway?
Cookies are small text files that are stored by websites on the user’s computer (or mobile device) in order to use information. They contain data such as log-in information, preferences and settings in order to “improve” the user’s internet experience. Cookies enable websites to recognize the user and provide personalized content.
In this way, the operators of online presences can respond specifically to the needs and interests of users and thus make the shopping experience even easier. However, there are also data protection concerns (GDPR) in connection with cookies, as they can track user behavior and store personal data. It is therefore important for users to be aware of cookies and, if necessary, adjust the settings in their browser to control the use of cookies. The regular deletion of cookies can also help to protect privacy.
Overview of different cookies
Technically necessary cookies are text files that are required for the smooth functioning of a website. For example, to store user input or to keep the user logged in. Other, more precisely non-essential cookies are used for other purposes, such as advertising, analysis or user profiling. Technical cookies are essential, while the others can be excluded via cookie banners or opt-in procedures.
All cookies that are not absolutely necessary for Internet presences are often used by advertising companies to place personalized ads that are tailored to user behaviour. This allows companies to develop more targeted marketing strategies and better adapt their products to customer needs. However, this is often met with criticism from visitors, who are now taking the issue of data protection – as defined in the GDPR – ever more seriously.
What is a cookie banner?
Cookie banners are pop-ups on a website (consent management systems) that specifically satisfy the user’s need to know that the website uses cookies. The banner usually asks the user to consent to the use of cookies before they can continue using the website. This serves to comply with data protection regulations and to protect the user’s privacy. Such cookie banners are often perceived as quite annoying.
Nevertheless, these fulfill an important purpose. And that is compliance with data protection regulations, because visitors are actively given a choice. The user’s consent to the use of cookies protects their privacy and at the same time ensures that the website complies with legal requirements. But what about transparency regarding the data collected? Are users sufficiently informed about exactly what information is stored? This is another important aspect when dealing with cookies (data protection – GDPR) and should be taken seriously by website operators.
When do you not need a cookie banner?
You do not need a cookie banner (according to the current GDPR) if only technical cookies are used on a website, which are essential for the smooth functioning of the website. Since no personal data is collected or used for advertising purposes, a cookie banner is not required in this case. These cookies are used, for example, to save the preferred language setting or to manage the shopping cart of an online store. Thus, they do not affect the privacy of users and therefore do not require a cookie banner (such as consent management systems) on the website. This offers visitors to the website a more pleasant and transparent user experience, as they are not forced to give their consent with annoying queries.
Cookie notice obligation is always mandatory
The cookie notice obligation under the GDPR states that website operators must inform their users about the use of cookies. This is usually done by means of a banner at the top or bottom of the page explaining which cookies are used, for what purpose and how users can accept or reject them. This measure is intended to improve transparency and data protection for users. Those who only use technical cookies must still place a banner (or other method) in a visible position. However, no active opt-in measures (such as a cookie banner with a selection option) are currently required.
Cookie notice Example text for a banner
Whenever website operators only use technical cookies for the smooth operation of the website, visitors do not have to actively object to cookies. A clearly visible cookie notice is still sufficient here, which could look as follows:
By using this website, you agree to the use of cookies. Detailed information about the use of cookies on this website can be found in our privacy policy (linked).
The visitor then has to take some action by clicking on a button that says “Agree”, for example, and marking the information text as read. These simple cookie banners are now disappearing because website operators prefer an active opt-in procedure. From a legal point of view, such a cookie banner notice is “still” sufficient if only technically necessary cookies are set.
Cookie banner obligation and the case law
In the EU and Germany, there are laws that stipulate that websites and online services must display a GDPR-compliant cookie banner that informs users and asks for their consent to the use of cookies. This serves to protect the privacy and data of users in accordance with the EU General Data Protection Regulation (GDPR) and the Telemedia Act (TMG) in Germany. The cookie banner must clearly inform users about the use of cookies and allow them to consent to or reject the use of cookies.
It is important that consent is voluntary and that users have the option to manage or disable cookies. Violations of these laws can lead to fines. It is therefore advisable for companies and website operators to strictly adhere to the requirements regarding the cookie banner in order to avoid possible fines. They should also ensure that user consent is transparent and verifiable by keeping logs of it. This can be achieved by implementing cookie management tools or by regularly reviewing privacy policies.
How to recognize cookies on your own website?
The first step (before publishing your own website) is to manually search for data cookies, which are set automatically. Is a cookie notice sufficient or is an active cookie banner with selection functions necessary? There are numerous online tools that scan websites for cookies:
- Cookiebot
- CookieMetrix
- Cookiebox
- Consent Manager
A cookie scanner is a useful tool for checking and managing cookies on a website. With such a tool, you can see which cookies are set on a website, what information they store and whether they are secure. By using it, website operators will better understand a website’s privacy policy and, if necessary, make settings to control cookie usage. This makes online cookie scanners useful tools for ensuring security and privacy when browsing the internet.
Caution, sources of danger when using a cookie banner
Such cookie banners do not always fully comply with data protection regulations. Many tools, add-ons and plug-ins should be used with caution. One example of this is Google Analytics (also in version 4 – belongs to the tracking tools).
Analysis cookies in particular require complete consent via a cookie consent banner. Unfortunately, there is still no 100% legal framework. Although the company is now acting more and more consciously when it comes to data protection, according to many experts it is still possible to identify visitors. Google could possibly link information about Google Analytics 4 with the behavior of visitors (also on other websites) and thus recognize them. The explicit consent of visitors via a cookie consent banner (consent management) is certain.
Avoid manipulation via "dark patterns"
Dark patterns are tactics that aim to deceive or manipulate users. They are often used in the digital world, for example, to get people to unintentionally give their consent or disclose personal data. Even though they are often effective, dark patterns are ethically questionable and should be avoided. In principle, this also applies to cookie banners. Typical examples of attempts to obtain the consent of visitors using cookie banners are
- Clearly highlighted button for consent in the cookie layer
- Reject button is difficult to reach
- Color highlighting
- Manipulation of visitors via the cookie banner design
- Preset banner checkboxes for consent
It must be just as easy for website visitors to consent to cookies as it is to reject them. According to the current decision of the Higher Regional Court of Cologne (19.01.2024), all website operators are obliged to design all buttons within the cookie banner in the same way. The refusal of consent for the use of a cookie layer must be implemented “at the first level”, so to speak, in parallel with the consent.
Solution - Cookie layer with opt-in procedure
If you want to be on the safe side and actively request the consent of your visitors (even for technically necessary cookies), you should use one of the innovative cookie consent layer tools (cookie consent tool). Some well-known and extremely functional cookie consent banners with a wide range of setting options are as follows:
- Borlabs Cookie
- Real Cookie Banner
- Compliance
- DSGVO Pixelmate
- CookieYes
- Usercentrix
- Cookiebot
- Osano
- OneTrust
- CCM19
However, this list only represents the tip of the iceberg of banner cookie banners. Website operators often also use external programmers who enable individual concepts. All consent management tools naturally cost money (usually as an annual or monthly subscription) but are worth the purchase. On the one hand from the point of view of data protection and helping customers/visitors and on the other hand for security reasons. Who wants to risk a warning due to a faulty banner?
Cookie banner checklist GDPR compliant
Cookie banners are mandatory, but should also include basic factors:
- Clarity and transparency: Make sure that the cookie banner is clear and understandable so that website visitors know which cookies are set and for what purpose.
- Ease of use: Make it easy for users to accept or reject the cookie banner. Add a button to accept (or reject) all cookies at once and an option to make individual settings.
- Adaptability: Adapt the cookie banner to the design of your website so that it fits seamlessly into the overall picture and does not appear disruptive.
- Data protection: Make sure that the cookie banner provides users with clear information about data protection and explains how their data will be used.
- Regular update: Check your cookie settings regularly and update the banner accordingly to ensure that it complies with the applicable data protection regulations.
- Mobile optimization: Think about the mobile optimization of the cookie banner. After all, your websites are also accessed from mobile devices.
Regular updates are advisable (especially for CMS plug-ins). Modern cookie banners are often developed further in order to adapt to the latest data protection regulations according to the GDPR.
Classic and popular - Borlabs Cookie
Borlabs Cookie is a WordPress plug-in solution for compliance with the General Data Protection Regulation (GDPR) with regard to cookies on websites. The plug-in enables website operators to inform their visitors transparently about the use of cookies and to control their cookie consent in compliance with the GDPR.
With Borlabs Cookie, different cookie categories can be created, cookie consent texts can be customized and the user’s consent can be managed. The cookie banner thus provides a simple and legally compliant way to implement the GDPR cookie guidelines on your own website.
With the ability to create different cookie notice categories and customize individual cookie consent texts, website operators can inform their visitors even more specifically via banners and respond to their preferences. Borlabs Cookie also offers the function to manage the user’s consent, which makes it possible to effectively control compliance with the GDPR with regard to cookies. This makes the plug-in not only a simple, but also a very practical solution for implementing the cookie policy on your own website.
Special case of VG Wort tracking pixels
VG Wort is a collecting society that deals with the exploitation of copyright-protected works in the digital sector. It remunerates authors, publishers and other rights holders for the use of their works on the internet.
This also includes remuneration for the use of texts, images and videos on websites. Tracking pixels are small images that are integrated into websites and are used to analyze the use of the website. In particular, they can provide information about the number of visitors, the time spent on the page and the origin of the visitors.
This data is of fundamental importance for determining earnings. Previously, the Cookie Banner Plug-in for WordPress implemented Borlabs Cookie, VG Wort’s tracking pixels (and cookies) under “technical cookies”, i.e. a type of cookie for which no active opt-in procedure (consent via button) is required. For many years, website operators were therefore subject to a certain residual risk.
According to the GDPR, website operators must always include a cookie notice in the privacy policy. The Bavarian data protection supervisory authority has now given the green light (at the request of VG Wort). All tracking pixels are data protection-compliant and therefore theoretically count as technically necessary cookies. The Bavarian experts emphasized (at the beginning of December 2023) that the tracking pixels and thus cookies do not transmit any personal data.
Is there a risk of a warning if the cookie banner is missing?
If there is no cookie banner on a website, this can lead to the threat of a warning. This is because, according to the General Data Protection Regulation (GDPR), users must be informed about the use of cookies and be able to give their consent. A missing cookie banner therefore violates data protection laws and can lead to legal consequences.
It is therefore important to implement a cookie banner on the website in order to avoid warnings. Exceptions only exist for the use of technically necessary cookies, whereby the opt-in solution is now also the better choice.
Do not forget the information in the privacy policy
A cookie notice belongs in the privacy policy because it contains information about how the website uses cookies to collect and process users’ personal data. By integrating a cookie notice into the privacy policy, visitors can be informed transparently about the use of cookies and give their consent.
It also helps to make the privacy policy complete and user-friendly, as all relevant information is bundled in one central location. This makes it easy for users to understand what data is collected by the cookie and how they can protect themselves against it.
Complete protection for website operators
Websites with an imprint, a privacy policy and a cookie banner are safer to operate and GDPR-compliant, as they meet the legal requirements. The legal notice increases the transparency of the website, as it contains important information about the operator. The privacy policy informs visitors about the handling of their personal data and thus contributes to data protection. The cookie banner informs users that cookies are used and enables them to give their consent.
This fulfils the legal requirements and minimizes the risk of warnings or fines. Overall, these measures ensure greater trust among users and contribute to secure operation for website operators. Regularly updating the privacy policy and legal notice is also important to ensure that all information is correct and up to date. This not only ensures the legal security of the website, but also increases the trust of visitors.
Typical errors during implementation
As soon as all legal provisions relating to data protection are not complied with, fines of up to 20 million euros may be imposed in the worst case. It often fails because of these shortcomings:
- No cookie banner available at all (not GDPR-compliant)
- Only cookie notice in the banner, although "non-technical" cookies are also used
- Withdrawal of consent not possible
- Basic default setting of complete consent in the consent management system
- Selection options for the cookie consent banner
It therefore makes sense to use complete cookie consent solutions. Even if these naturally cost a certain annual amount. Your own security and the data protection of your customers come first.
Data protection has top priority
The cookie banner obligation is an important measure to comply with data protection regulations (GDPR) and to protect the privacy of internet users. By integrating cookie banners, users are informed about which data is collected by cookies and have the option of agreeing to this or rejecting it.
Data protection is a fundamental right in the digital age, as personal data is sensitive and must not be processed without the consent of those affected. Companies and website operators must ensure that they are transparent about their data protection practices and obtain the consent of users before collecting data.
