What legal foundations must be considered when asking for consent for websites?

Consent requests must comply with the requirements of GDPR (Article 7 para. 3), including a direct right of withdrawal, the simple possibility of refusal, and the complete deactivation of all services upon withdrawal. Furthermore, the purposes, data recipients, and risks must be clearly stated.

What tools require consent according to Article?

Many tools and plugins, such as Google Analytics, Google Maps, Facebook Plugins, Vimeo Videos, SoundCloud Player, and external scripts, require consent. This also applies to common consent tools like Borlabs Cookie or UserCentrics, as these involve data processing processes.

Why is data minimization important on websites?

According to Article 5 paragraph 3 of the GDPR, data minimization states that unnecessary data transfers must be avoided. This protects the privacy of users and reduces the risk of data breaches.

What problems are there with consent tools?

Consent tools are often unable to fully comply with all data protection regulations. There are objective reasons why they do not function reliably and therefore should not be used as a sole solution.

What must a website do to obtain user consent?

Websites must clearly and simply inform users about the collected data and its use and obtain explicit consent for data collection and processing. This is a fundamental requirement for compliance with GDPR.

Sichere KI, digitaler Datenschutz & Website-Compliance

For many tools and cookies, consent is required, also known as Consent. So-called Consent Tools are supposed to help here, but they do not suffice, as my practice test has shown. What requirements must a consent query actually meet?

Introduction

The use of data processing plugins and tools on websites is according to Art. 6 Sec. 1 GDPR essentially only permitted if

There is a legitimate interest of the website operator present

a consent from the website visitor has been obtained.

Websites that do not use cookies and also process data only as necessary (e.g., contact form) do not need a "cookie popup".
It also applies if only required cookies are used, such as for shopping cart management.

Furthermore, the ePrivacy Directive in Article 5 Section 3 stipulates that even the retrieval of cookies or reading out cookies is consent-obligatory. The directive also applies to Germany under § 15 Section 3 TMG, as the BGH established in its Planet49 ruling (28.05.2020 – I ZR 7/16) in 2020. The provision was officially introduced in Germany with § 25 TTDSG in December 2021.

The Art. 44ff GDPR stipulate that data transfer to insecure third countries (such as the USA) is not allowed in itself. Since IP addresses are already personal data, the GDPR law primarily applies to websites at all times.

According to these legal bases, for example, the following tools are mandatory:

Google Analytics: ePrivacy Directive, Data transfer to the US. More details
Google Maps: ePrivacy Directive (and/or others). More details
*Facebook Plugin: ePrivacy Directive (and/or others)
Google Fonts (external access): Art 44ff. GDPR or Art. 5 GDPR (data minimization). More details
Google reCAPTCHA: ePrivacy Directive (and/or others). More details
YouTube-Video with cookies: ePrivacy Directive (and/or others)
YouTube-Videos without Cookies: Art. 44ff. GDPR or Art. 5 GDPR (Data Minimization)
Vimeo-Videos: Art. 44ff. GDPR or Art. 5 GDPR (Data Minimization). More Details
SoundCloud Player: ePrivacy Directive (and/or others). More details

The list can be continued almost arbitrarily for further known tools. The legitimate interest can be excluded for all these services. This can even be partly technically and thus undoubtedly proven.

Here you can check in seconds (free of charge and without registration) whether a website is data protection friendly or if action is required.

Website Check

Consent Tool Checklist

If you are risk-aware enough to want to use one of the common consent solutions, this checklist will help you check your project. The common solutions, as my practice test has shown, are not solutions.

According to my tests inadequate are the following consent tools:

The requirements for consent queries arise from the legislative text of the GDPR and from judgments by ECJ and BGH. Meanwhile, there are also judgments from smaller courts, such as from LG Rostock (15.09.2020 – 3 O 762/19), which considers it unlawful if refusal is not equally easy to accomplish as consent.

Requirements for consent queries:

The right of withdrawal must be clearly visible → Art. 7 Sec. 3 GDPR
Refusal should be as easy as consent → Judgment of LG Rostock
A data protection hostile preselection is not allowed → ECJ ruling Planet49
Simple revocation possibility → Art. 7 Sec. 3 GDPR
The withdrawal must be simply possible (number of clicks!) → Art. 7 Sec. 3 GDPR
The withdrawal must be fully possible (deletion of all cookies, unloading of all services) → Art. 7 Abs. 3 GDPR
After revocation, the website should automatically reload in order to deactivate all active services by reloading the website
Notification of services that consent is given for. Possibility to consent to each service or in categories of services→ Art. 12 GDPR, Art. 7 Sec. 4 GDPR
For Service → Art. 13 GDPR
Read full article now via free Dr. GDPR newsletter.
More extras for subscribers:
Offline-AI · Free contingent+ for Website-Checks
Already a subscriber? Click on the link in the newsletter & refresh this page.
↓
Subscribe to Newsletter