The use of Cookiebot on websites is deemed unlawful by the Administrative Court of Wiesbaden.

The administrative court in Wiesbaden has ruled that using Cookiebot on websites is unlawful. In a decision dated 01.12.2021 (case no.: 6 L 738/21.WI), the VG Wiesbaden determined that Cookiebot may not be used. Specifically, this concerned the website of RheinMain University of Applied Sciences (HSRM).

Update regarding Cookiebot usage

The following press release from the court has been revised. Previously, Cookiebot was explicitly mentioned, as shown in the screenshot of the original announcement:

Now that the VG Wiesbaden has opened up the case, it is speaking generally about cookie services. Therefore, even more services are affected than Cookiebot. I can also say with certainty that Cookiebot is covered by the ruling based on my direct knowledge of the first press release. There are also references to Cookiebot in the decision.

Now, the Higher Administrative Court of Hesse is also dealing with the case.

Case facts

With press release from 06.12.2021, the VG Wiesbaden found that the so-called cookie tool Cookiebot is actually not allowed to be used. This applies as long as Cookiebot uses the service provider Akamai from the USA and does so in an inseparable way.

Cookiebot is intended to help website operators obtain consent from visitors before processing data that requires consent. This specifically includes cookies, as the name Cookiebot suggests. However, there are other processes that also require consent.

Given my previous observations that Cookiebot is impractical for obtaining legally compliant consent in practice, here are a few of my related posts:

• Cookiegeddon: The Failure of Consent Tools ([1])
• Practice test for Cookiebot

If a service like Cookie consent management tool requires consent for itself, it is practically not usable or from my point of view meaningless. Other possible legal bases from Art. 49 GDPR are regularly excluded here.

The reasons why the Wiesbaden Administrative Court classifies Cookiebot as unlawful are primarily as follows. I on writing this in my own words, without claiming that the Wiesbaden Administrative Court meant it exactly this way. The same applies to my previous statements. Anyone interested can read the court's press release mentioned above for further details.

Cookiebot processes personal data and transfers it to a service provider in the USA. This service provider stores this personal data. That's already not good (cf. the Schrems II ruling). By doing so, the principles of Art. 44 ff GDPR are violated. In practice, there is a lack of consent here. How should this consent be obtained when Cookiebot is supposed to achieve that?

The data transfer from Cookiebot to Akamai, a service provider based in the USA, appears to be inextricably linked to Cookiebot. To my knowledge, Cookiebot can only be integrated in this configuration and not otherwise.

In my view, however, not even a consent for Cookiebot can be obtained that would conform to Article 49 GDPR. Similarly, the other legal bases listed in this article will probably regularly fall short.

In addition, Cookiebot processes further data that I believe is not technically necessary, for example, the User-Agent (exact browser version, operating system). Whether this was relevant to the court's decision, I can't assess quickly. In any case, according to my knowledge , Cookiebot does not offer an DPA because Cookiebot believes it is not a commissioned processor because Cookiebot believes it does not process personal data. At least the last argument seems questionable, and therefore possibly also the rest of what Cookiebot holds as true.

This once again shows that it's not a good idea to trust advertising claims from providers like Cookiebot.

It's also not a good idea to integrate so-called Marvelous Tool and hope everything will be fine. That's nonsense. Almost every website that uses a so-called cookie tool is illegal and would deserve a warning. This is shown by my constant investigations, anyway. By the way, some of the visited websites I've seen are worth a warning. See you!

Please use privacy-friendly services. This will make annoying consent requests unnecessary. I describe possibilities and solutions in detail on Dr. GDPR.

Those who send data to Google, Akamai and others should build up reserves for legal disputes. Or it's best to leave processing data without a legal basis alone. Following laws would also be an approach.

The party against whom the Wiesbaden Administrative Court's ruling was issued can file an appeal within two weeks. Regardless, it is already an important step for data protection.

I was involved in the proceedings as an expert witness.

By the way, Cookiebot and UserCentrics have merged .

Soweit ich weiß, nutzt UserCentrics the Google Cloud. Google is ein Anbieter mit Hauptsitz in den USA, soweit mir bekannt is. Aus den Nutzungsbedingungen the Google Cloud Platform geht hervor: „ALLE ANSPRÜCHE, DIE SICH AUS ODER IM ZUSAMMENHANG MIT DIESER VEREINBARUNG ODER DEN DIENSTEN ERGEBEN, UNTERLIEGEN DEM KALIFORNISCHEN RECHT“ und „Alle Ansprüche … werden AUSSCHLIESSLICH VOR DEN BUNDESGERICHTEN ODER DEN GERICHTEN DES VERWALTUNGSBEZIRKS SANTA CLARA, KALIFORNIEN, USA, VERHANDELT; DIE PARTEIEN STIMMEN DER PERSÖNLICHEN GERICHTSBARKEIT IN DIESEN GERICHTEN ZU.“

Whoever thinks about a new consent tool might prefer one that is manageable instead.

Key takeaways of this article

The Wiesbaden Administrative Court has ruled Cookiebot to be unlawful.

Cookiebot processes data and transfers it to a service provider in the USA, which violates data protection regulations.

The close connection of Cookiebot with the US service provider makes lawful consent impossible.

Cookiebot may not comply with GDPR regulations.

Cookiebot may process unnecessary data.

Reliance on advertising claims from providers like Cookiebot should be avoided.

About these key statements