The cookie banner: when it’s needed and what to include!
A cookie is a small file that is stored on the user’s computer during a visit to the website. The information is read out again when the user visits the website later. This is used to track parts of the user’s behavior on the website. For this purpose, users receive identifiers that are classified as personal data. When using cookies, retargeting and tracking pixels on your own website, users must be informed of this fact on their first visit. This requires the so-called cookie banner.
So far so good – most people know that by now. However, since the introduction of the GDPR and the recent decisions of the ECJ and the BGH, stricter rules on this topic have applied. Before the GDPR, it was sufficient to provide information about the use of cookies in accordance with the EU Cookie Directive. It was not necessary to explain which cookies were involved. Not so today! The EU Cookie Directive still applies, but cookie banners must be much more comprehensive than before. Simply providing information about the use of cookies is no longer sufficient.
When does a website need a cookie banner?
Quite simply – as soon as the website uses cookies! Which cookies are involved is not decisive for answering this question.
Consent for non-technical cookies
According to the EU Cookie Directive, visitors to a website must be informed about the use of cookies in an easily understandable form and they must expressly consent to the storage of their data. This consent is only waived if the cookies are technically necessary – i.e. absolutely necessary to implement a service requested by the user. This includes, for example, so-called session cookies for storing language settings, log-in data or the shopping cart.
In contrast, the active consent of the website visitor is required for cookies that are not technically necessary, such as tracking and advertising cookies from third-party providers. Contrary to popular belief, it is not sufficient to opt out in this case. In practice, many cookie banners can still be found, where website visitors often read the following: “We use cookies – if you continue to use our website, you agree to the use of cookies”. Many companies think it would be high end if they then refer to their privacy policy within the cookie banner. But unfortunately not!
Both the ECJ and the BGH have made it clear in their rulings that the use of technically unnecessary cookies requires the express consent of the user. Such consent is not given by the classic opt-out version, as the user does not actively agree to its use.
What should a cookie banner look like?
Many people ask themselves the legitimate question of what a cookie banner should look like. There are numerous different versions on the market, many of which are really good. If you really want to be on the safe side, you can get help from providers of professional cookie banners. Here you will also be informed about the current legal situation and any changes in case law.
If you don’t want to do this, you can of course also design a cookie banner yourself in compliance with the law. It is important that the cookie banner really informs about all cookies set on the website, including those that are technically necessary. In addition, the reasons for the use of cookies should be explained briefly and concisely in the banner itself. For example, “We use cookies to enable the technical presentation of the website to run smoothly. We also use cookies to share information about your use of our website with our social media, advertising and analytics partners.” Of course, the cookie banner can also have a completely different text. Ultimately, however, it must match the operator’s individual website.
In addition to the information about the use of cookies, the cookie banner must link to the privacy policy. Since the introduction of the GDPR, the website operator must explain all cookies used, including the underlying legal basis, in detail in the privacy policy. In order for the website user to be able to understand this legal basis, i.e. the legitimation for the use of their personal data, even before using the website, they must have quick access to the privacy policy.
Now comes the controversial and more difficult part: legally compliant consent to non-technically necessary cookies.
The cookie banners that are still widely used in practice, where the user has to click on “ok”, are unfortunately no longer sufficient since the ECJ or BGH decision. The user must be able to make a very differentiated decision as to which cookies they want to consent to and which not. Of course, technically necessary cookies can be withdrawn from this consent. For this reason, it is positive to see more and more cookie banners that differentiate between: Necessary, Marketing, Statistics and Preferences. For each of these options, you can tick the box to give your consent or not. The necessary cookies are already checked, but this is also completely legitimate. Some cookie banners also have the addition that you can view these options for selection in even more detail. You can find numerous examples of this online.
Some companies have also reversed this version so that all the checkboxes are already ticked. In principle, this is an opt-out version and is not permitted. However, many save the situation by giving the option: “Save selection” or “Only allow essential cookies”. So if you prefer this version, you can also opt for this.
Where should the cookie banner be placed?
Ideally, the cookie banner should be placed at the bottom so that the website can be used properly even without consent or editing the cookie banner. Clicking on or allowing or not allowing cookies should not be an obstacle to using the basic functions of the website.
Summary
The GDPR was supposed to bring about the so-called ePrivacy Regulation and with it a uniform regulation on the use of cookies. Unfortunately, we are still a long way from such a regulation. Until then, it will remain exciting to see how the courts will continue to deal with the use of cookies and how the practice will implement these rulings and, above all, this uncertainty.
