Recommendations for the Implementation of Cookie Banners
Update Data Protection No. 93
As a result, many website operators have reacted and adapted or replaced the cookie banners or consent layer (hereinafter collectively referred to as “Cookie Banners”) used by them in order to obtain the necessary consent. Overall, a large number of different design variants have been created in doing so, some of which differ considerably in terms of the choice of color, font size, structure and level of detail. Often the Cookie Banners are designed in such a way that the users are enticed into giving their consent (so-called nudging). Examples include Cookie Banners in which the user can directly activate all cookies requiring consent at the first level using a central "consent button" (e.g. in the form of a button labeled "Accept all cookies"), however, conversely, can only refuse their consent after going through a multi-stage process. There are also regular Cookie Banners which at the first level contain a central “consent button” as well as a central “refuse button” (e.g. in the form of a button labeled “Reject all cookies” or “Only allow technically necessary cookies”), but this "refuse button" is not clearly recognizable due to the different color choices and font size or at least is not as prominently recognizable as the "consent button".
Specific requirements of the Regional Court of Rostock and the State Commissioner for Data Protection in Lower Saxony for the design of Cookie Banners
The judgment of the Regional Court of Rostock of September 15, 2020 (case no. 3 O 762/19) as well as the current recommendation of the State Commissioner for Data Protection in Lower Saxony (Landesbeauftragte für Datenschutz in Niedersachsen, “LfDN”) with the title “Datenschutzkonforme Einwilligung auf Webseiten – Anforderungen an Consent-Layer" (data protection compliant consent on websites – requirements for the consent layer) of November 2020, both now deal with the specific design of Cookie Banners and the legal limits of nudging.
The statements of Regional Court of Rostock, in turn, correspond to those of the LfDN in the above-mentioned recommendation. In it, the LfDN emphasizes that behavior-manipulating designs can lead to the invalidity of the consent, even if the use of nudging techniques should not be considered inadmissible per se. According to the LfDN, the decisive factor for the assessment is whether the “consent” option is more conspicuous than the “reject” option in terms of color, font and other highlighting. Another factor is whether the rejection process is unnecessarily complicated. As an example for an inadmissible Cookie Banner the LfDN cites a Cookie Banner , in which a "refuse button" is missing at the first level and the user must therefore call up a second level to reject the cookies that require consent, deactivate any pre-selected cookies there, if necessary, and then save the settings. According to the LfDN, it is also inadmissible if the cookie settings of a user are not saved and the user is prompted to give their consent each time the website is accessed by repeatedly presenting the Cookie Banner upstream. In any case, this should apply if there is no “Reject all” button at the first level.
Conclusion and recommended actions
The judgment of the Regional Court of Rostock and the recommendation of the LfDN indicate an initial tendency with regard to the design of Cookie Banners. At the same time, it should be noted that website operators continue to have a certain leeway when designing their Cookie Banners.
Users should also have an easy-to-find option to revoke their consent. A link with the designation “Cookie settings” in the header or footer of the website can be used here, via which the user can call up the Cookie Banner again and change their consent settings. Alternatively, this link can also be integrated into the data protection declaration.