Recommendations for the Implementation of Cookie Banners 

April, 2021 - Pariyapol Kamolsilp, Michael Kuska

The compliant use of cookies requiring consent has presented a major challenge for website operators for quite some time. Following the ruling of the Court of Justice of the European Union in the "Planet 49" case, many operators have adapted the cookie banners they use. However, in doing so, they are faced with the difficulty of designing the cookie banners in such a way that these encourage a high acceptance rate from users, while remaining legally compliant. A current recommendation by the State Commissioner for Data Protection in Lower Saxony and a judgment by the Regional Court of Rostock now contain advice on the design of cookie banners.

Background

With its judgment of October 1, 2019 (case no. C-673/17, "Planet 49"), the Court of Justice of the European Union (“CJEU”) made it clear that the prerequisite for effective consent to the use of cookies requiring consent is a clear affirmative - i.e. active - act (opt-in). The use of an opt-out in the form of pre-set checkboxes is therefore not permitted. The same applies to "declarations of consent", pursuant to which the user agrees to the use of cookies by merely accessing a website. With its judgment of May 28, 2020 (case no. I ZR 7/16), the German Federal Court (Bundesgerichtshof, “BGH”) confirmed the decision of the CJEU for Germany and, in this respected, based its decision on an interpretation of Section 15(3) of the German Telemedia Act (Telemediengesetz, “TMG”) that complies with European law (also see our Update Data Protection No. 76, available here).

As a result, many website operators have reacted and adapted or replaced the cookie banners or consent layer (hereinafter collectively referred to as “Cookie Banners”) used by them in order to obtain the necessary consent. Overall, a large number of different design variants have been created in doing so, some of which differ considerably in terms of the choice of color, font size, structure and level of detail. Often the Cookie Banners are designed in such a way that the users are enticed into giving their consent (so-called nudging). Examples include Cookie Banners in which the user can directly activate all cookies requiring consent at the first level using a central "consent button" (e.g. in the form of a button labeled "Accept all cookies"), however, conversely, can only refuse their consent after going through a multi-stage process. There are also regular Cookie Banners which at the first level contain a central “consent button” as well as a central “refuse button” (e.g. in the form of a button labeled “Reject all cookies” or “Only allow technically necessary cookies”), but this "refuse button" is not clearly recognizable due to the different color choices and font size or at least is not as prominently recognizable as the "consent button".

Specific requirements of the Regional Court of Rostock and the State Commissioner for Data Protection in Lower Saxony for the design of Cookie Banners

The judgment of the Regional Court of Rostock of September 15, 2020 (case no. 3 O 762/19) as well as the current recommendation of the State Commissioner for Data Protection in Lower Saxony (Landesbeauftragte für Datenschutz in Niedersachsen, “LfDN”) with the title “Datenschutzkonforme Einwilligung auf Webseiten – Anforderungen an Consent-Layer" (data protection compliant consent on websites – requirements for the consent layer) of November 2020, both now deal with the specific design of Cookie Banners and the legal limits of nudging.

The subject of the proceedings before the Regional Court of Rostock was a Cookie Banner with a white background and gray information text which explained the use of cookies. At the bottom of the Cookie Banner there was a green “consent button” labeled “Allow cookies”. The “consent button” was therefore more clearly highlighted in green compared to the information text. The cookies that require consent were also already pre-selected. The user was able to call up further information on the cookies via a button "Show details" and deselect the individual cookies there. In addition, immediately next to the “consent button”, there was a “refuse button” labeled “Only allow necessary cookies”, with which the user could limit the use to technically necessary cookies that did not require consent. The latter button, unlike the “consent button”, had a light gray background and the text it contained was in a standard white color. In addition to the fact that the pre-selection of cookies requiring consent was not permitted, the Regional Court of Rostock came to the conclusion in its judgment that the design of the Cookie Banner was not legally compliant, as the "refuse button" was not even recognizable as a clickable button and, because of the way it is designed, it takes a back seat to the “consent button”. According to Regional Court of Rostock, it can therefore be assumed that the “refuse button” is regularly not noticed by users. Finally, the court emphasized that the information text contained in the Cookie Banner did not change this assessment, as it did not explain which cookies would ultimately be "activated" by which of the two buttons provided.

The statements of Regional Court of Rostock, in turn, correspond to those of the LfDN in the above-mentioned recommendation. In it, the LfDN emphasizes that behavior-manipulating designs can lead to the invalidity of the consent, even if the use of nudging techniques should not be considered inadmissible per se. According to the LfDN, the decisive factor for the assessment is whether the “consent” option is more conspicuous than the “reject” option in terms of color, font and other highlighting. Another factor is whether the rejection process is unnecessarily complicated. As an example for an inadmissible Cookie Banner the LfDN cites a Cookie Banner , in which a "refuse button" is missing at the first level and the user must therefore call up a second level to reject the cookies that require consent, deactivate any pre-selected cookies there, if necessary, and then save the settings. According to the LfDN, it is also inadmissible if the cookie settings of a user are not saved and the user is prompted to give their consent each time the website is accessed by repeatedly presenting the Cookie Banner upstream. In any case, this should apply if there is no “Reject all” button at the first level.

Conclusion and recommended actions

The judgment of the Regional Court of Rostock and the recommendation of the LfDN indicate an initial tendency with regard to the design of Cookie Banners. At the same time, it should be noted that website operators continue to have a certain leeway when designing their Cookie Banners.

Taking this into account, website operators should ensure that users have an uncomplicated and recognizable option to refuse consent. For this purpose, it is advisable if, in addition to a "consent button" with which the user can activate all cookies requiring consent, there is also on the first level of the Cookie Banner a "refuse button" with which the user can refuse the use of cookies requiring consent or confirm the use of specifically selected cookies requiring consent. At the same time, the “refuse button” should be clearly recognizable with regard to font size and color choice, and not “hidden” at a downstream level. From our point of view, it is also justifiable in this case if the "refuse button" and "consent button" are highlighted with different colors, as long as the "refuse button" is still clearly recognizable.

Users should also have an easy-to-find option to revoke their consent. A link with the designation “Cookie settings” in the header or footer of the website can be used here, via which the user can call up the Cookie Banner again and change their consent settings. Alternatively, this link can also be integrated into the data protection declaration.

Overall, website operators should therefore carefully check whether their current use of cookies corresponds to these requirements. This also applies to website operators who use external tools to collect and manage the cookies they use. If this is not the case, there is a risk that the consent will be invalid and, therefore, the entire cookie use will be considered unlawful. This, in turn, can lead to measures by the supervisory authorities, claims made by the data subjects or - as in the case before the Regional Court of Rostock - lawsuits from consumer protection associations. Website operators should also continue to observe further developments. For example, discussions are currently underway at a federal level as to whether the proposed draft for the new German Telecommunications-Telemedia Data Protection Act] (Telekommunikation-Telemedien-Datenschutzgesetz, “TTDSG”) should be expanded to include explicit provisions on the design of Cookie Banners.

 

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots