This decision is in line with the standards proposed by the German association of Data Protection Authorities (DSK), the European Data Protection Board (EDPB) and the European Court of Justice (ECJ). It is worth mentioning that the European Union’s Court of Justice (CJEU) judgment on the Planet49 case influenced the BGH ruling. The CJEU ruled that consent obtained through a pre-ticked checkbox is not valid. That is, a pre-enabled option for consent for cookies is an unlawful practice.
The BGH ruling reaffirms the Germany DSK cookie guidelines (available in German)published in 2019. This article will discuss the important takeaways from the guidelines for cookies and what steps you need to take to comply with them.
What is cookie consent?
The GDPR allows data collection and use for purposes that have one of the six legal bases:
- Explicit consent of users
- Legal obligation for data collection and use
- Contractual obligation between the data controller and the user
- The legitimate interest of the data controller
- For the vital interest of the user or another user
- For carrying out tasks in the public interest
In the case of using cookies to collect data, the most reliable and applicable basis is getting user consent.
Art 4 of GDPR (DSGVO) defines consent as:
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”
That is, consent is only valid if it is freely given, specific, informed, and unambiguous. Let us look at what each of them means concerning cookies.
- Freely given – the users must give consent to cookies of their free will rather than be compelled to.
- Specific – Each cookie operation or function must have a separate consent choice rather than a single common option. The users must have a choice to enable each of them.
- Informed – you must provide adequate information about cookies and their purpose for the users to make an informed decision on cookie consent.
- Unambiguous: consent must be expressed via an explicit action, such as clicking a button. Implicit consent such as not responding to the consent request or browsing through the page is not valid.
Other than these, the cookie consent must also be:
- Revocable – the users must be able to easily withdraw their cookie consent at any time.
- Demonstrable – the website operator must be able to provide proof of cookie consent received if requested by the users or the regulatory authority.
German DSK guidelines for cookies, cookie banner, and consent tool
Here are the main takeaways related to cookie consent from the DSK guidelines
- Do not use store cookies on the users’ device without getting their explicit consent unless they are strictly necessary cookies.
- Using Google Analytics cookies does not constitute “legitimate interest” and it requires the users’ explicit consent (DSK opinion on Google Analytics).
- The cookie consent banner must provide an overview of all cookie operations that require consent, with adequate information about their purpose and source.
- These operations can be activated or enabled via a selection menu. The operation must not be pre-activated.
- Cookie banner that explains each and every cookie and gives separate consent options
- While the banner is displayed to the user on a website or web app, it must block all cookie scripts that collect user data.
- Do not load cookies unless the users give their consent using an explicit action, such as ticking a checkbox or clicking a button on the banner.
- To demonstrate proof of consent (Art. 7 of the GDPR), an indirect identification (Art. 11) of the user is enough.
- There must be an option on the cookie banner or consent tool to let users withdraw their consent and it must be as easy as giving consent (Art 7 of the GDPR).
- Do not use the “OK” (or similar dismissive terms) button along with cookie settings. It robs the users of a “free” and “genuine” choice for refusing consent.
- The users must be able to visit the website even if they refuse to consent to cookies.
- Silence, inactivity, or non-affirmative actions, such as scrolling through a page does not indicate consent.
How CookieYes cookie consent solution helps
CookieYes is a web app for cookie consent management for your website. It helps you to comply with GDPR, CCPA, LGPD, and ePrivacy Directive for cookies. It is easy to add a cookie consent banner to your website and manage its operations with our solution. It supports major CMS, such as WordPress, Shopify, MODX, Magento, Drupal, Joomla, Squarespace, and Blogger.
CookieYes’ features will help your website to comply with the DSK cookie consent requirements. Let us take a look at them:
- Customize the content, layout, and color scheme of the cookie banner.
- Customize the label and color of the consent buttons
- Automatically block non-essential cookies, such as Google Analytics, before the users give their consent (when the banner is displayed).
- Disable pre-activation of cookies before consent.
- Give selective cookie activation based on their purpose/function for the users via the cookie preference menu.
- Log user consents registered via the banner under unique consent IDs (does not directly identify the users).
- Enable an easy cookie banner revisit option for the users to withdraw consent at any time.
Other features include:
- Scan your website for cookies and identify the cookie categories.
- Auto-translation of the cookie consent banner to 26 languages.
- Display the cookie banner based on the users’ location.
- Additional banner customization using CSS.
- Add your custom brand logo to the banner.
- Manage cookie consent of multiple websites in one account.
Sign up for free and make your website compliant with the DSK cookie guidelines.