Everything remains different – Cologne Regional Court on cookie banners
External data protection officers are repeatedly confronted with the question from the marketing department: “Is the format of this cookie banner now GDPR-compliant?”. The data protection officer then typically answers with the usual precision of “it depends.”
The first element to look at is the purpose of the ever-popular pop-up. When a website is visited for the first time, information should be provided on the use of possible tracking mechanisms and external data sources. Above all, the preferences of the visitor should be collected.
May we track where website visitors come from, which pages they visit and what the click-through rates are on our individual offers? Then there is the collection of the various permissions to display external content such as Twitter, YouTube or other external data providers. Behind all this is usually the company’s marketing team, which wants to convey information in the most user-friendly way possible in order to present its own product in the best possible manner.
However, one cannot write about cookie banners without going into various developments and decisions of the last few years.
In spring 2022, YouTube adjusted its cookie banner following pressure from the French data protection authority. This means that a “comprehensive refusal” is now possible at the first level. In addition, European data protection representatives recently spoke out on misleading designs (also known as nudging) such as consent and rejection buttons of the same colour. Likewise, the success of Max Schrems and his organisation NOYB in connection with several complaints to European supervisory authorities should not be forgotten. Google Analytics, with its non-transparent mechanisms, was no longer considered so easy to use. As a result, only the consent-based use of this tracking tool became the standard. Another point was the direct access to the imprint without needing to consent or refuse first.
Regional Court of Cologne has now published a decision, which details the requirements for the cookie banner somewhat. But not by much. Instead of receiving an indication of the perfect solution, as hoped, in the ruling with the file number 33 O 376/22, the Regional Court of Cologne was only able to partially confirm the points of complaint of the Verbraucherschutzzentrale Nordrheinwestfalen e.V. (Consumer Protection Centre of North Rhine-Westphalia).
Thus, the choice of “…only with the necessary cookies” was hidden in the continuous text and thus insufficient in size, shape and design to be considered an actual and equivalent choice…. At the same time, the court found that the consumer protection agency’s request was too broad, that “a rejection option equivalent to the declaration of consent in form, function and colouring, of equal rank and equally easy to use” must be included. So rejection is designed the same as consent? The regional judges apparently did not want to go that far either and referred to the lack of references in the GDPR or its recitals. By the way, the proceedings of the consumer protection organisations against Deutsche Telekom also contained several decisions on existing transfers to credit agencies and Google. But here, too, the court found that some of the requests submitted were too broad and/or unfounded.
How to proceed with the cookie banners now? Well, in addition to the countless recommendations and decisions, one should always use common sense and provide honest and simple information. There must be a choice between consent and rejection, clearly visible. Without nudging or rejection over five (5) levels. Designing cookie banners in a privacy-compliant way is not rocket science nor a closed book. But something you should always keep in mind. That’s where we help our clients.
And that’s exciting, like data protection.
