Checklist for legally secure consent requests on websites: Regulations and legal bases

For many tools and cookies, consent is required, also known as Consent. So-called Consent Tools are supposed to help here, but they do not suffice, as my practice test has shown. What requirements must a consent query actually meet?

Introduction

The use of data processing plugins and tools on websites is according to Art. 6 Sec. 1 GDPR essentially only permitted if

There is a legitimate interest of the website operator present

a consent from the website visitor has been obtained.

Furthermore, the ePrivacy Directive in Article 5 Section 3 stipulates that even the retrieval of cookies or reading out cookies is consent-obligatory. The directive also applies to Germany under § 15 Section 3 TMG, as the BGH established in its Planet49 ruling (28.05.2020 – I ZR 7/16) in 2020. The provision was officially introduced in Germany with § 25 TTDSG in December 2021.

The Art. 44ff GDPR stipulate that data transfer to insecure third countries (such as the USA) is not allowed in itself. Since IP addresses are already personal data, the GDPR law primarily applies to websites at all times.

According to these legal bases, for example, the following tools are mandatory:

• Google Analytics: ePrivacy Directive, Data transfer to the US. More details
• Google Maps: ePrivacy Directive (and/or others). More details
• *Facebook Plugin: ePrivacy Directive (and/or others)
• Google Fonts (external access): Art 44ff. GDPR or Art. 5 GDPR (data minimization). More details
• Google reCAPTCHA: ePrivacy Directive (and/or others). More details
• YouTube-Video with cookies: ePrivacy Directive (and/or others)
• YouTube-Videos without Cookies: Art. 44ff. GDPR or Art. 5 GDPR (Data Minimization)
• Vimeo-Videos: Art. 44ff. GDPR or Art. 5 GDPR (Data Minimization). More Details
• SoundCloud Player: ePrivacy Directive (and/or others). More details

The list can be continued almost arbitrarily for further known tools. The legitimate interest can be excluded for all these services. This can even be partly technically and thus undoubtedly proven.

Here you can check in seconds (free of charge and without registration) whether a website is data protection friendly or if action is required.

Consent Tool Checklist

If you are risk-aware enough to want to use one of the common consent solutions, this checklist will help you check your project. The common solutions, as my practice test has shown, are not solutions.

According to my tests inadequate are the following consent tools:

• Borlabs Cookie
• CCM19
• Cookiebot
• consentmanager
• Of course!
• OneTrust / Optanon / CookieLaw
• UserCentrics

The requirements for consent queries arise from the legislative text of the GDPR and from judgments by ECJ and BGH. Meanwhile, there are also judgments from smaller courts, such as from LG Rostock (15.09.2020 – 3 O 762/19), which considers it unlawful if refusal is not equally easy to accomplish as consent.

Requirements for consent queries:

1. The right of withdrawal must be clearly visible → Art. 7 Sec. 3 GDPR
2. Refusal should be as easy as consent → Judgment of LG Rostock
3. A data protection hostile preselection is not allowed → ECJ ruling Planet49
4. Simple revocation possibility → Art. 7 Sec. 3 GDPR
5. The withdrawal must be simply possible (number of clicks!) → Art. 7 Sec. 3 GDPR
6. The withdrawal must be fully possible (deletion of all cookies, unloading of all services) → Art. 7 Abs. 3 GDPR
7. After revocation, the website should automatically reload in order to deactivate all active services by reloading the website
8. Notification of services that consent is given for. Possibility to consent to each service or in categories of services→ Art. 12 GDPR, Art. 7 Sec. 4 GDPR
9. For Service → Art. 13 GDPR
   1. Supplier listing (full company name, address, and country)
   2. Notification of purposes → Art. 5 Sec. 1 GDPR
   3. Disclosure of data recipients (full company name including address and country)
   4. Listing of countries for data collection
   5. Notification of risks upon transmission to insecure third countries → Art. 49 Sec. 1 GDPR
   6. Listing all cookies for the service. Per cookie:
      1. Cookie-Name
      2. Notification of purposes → Planet49 ECJ ruling
      3. Mentioning of lifespan → Planet49 ECJ ruling
10. Recording of consent granted as proof upon inquiry → Art. 7 Sec. 1 GDPR
11. Only after consent, scripts for videos from Vimeo or YouTube, external fonts, as well as most Google Tools including Google Tag Manager can be loaded. The USA is an insecure third country. Even standard contract clauses do not change that.
12. Complete explanation of all data processing operations for services used in the privacy policy.
13. The data protection declaration must be accessible despite the consent window, the link to it should not be obscured by a popup.
14. The data protection statement must be readable without having to click away from a consent query.

It might be that there are further requirements. I would appreciate a corresponding message if something is missing.

Important to know:

• Services are also referred to as Tools or Plugins. Almost every known tool requires consent.
• Cookies are only a reason for consent. See IP addresses and data minimization as well as my expert article.
• IP-addresses are personal data. Every access to a website or service means an exchange of personal data.
• Data minimisation: Unnecessary data transfers are to be avoided → Art. 5 Sec. 3 GDPR.
• So-called Consent Tools are, according to practical test, unsuitable for compliance with all data protection regulations. There are even objective reasons why Consent Tools cannot function reliably.

In a separate contribution, alternatives for various Google tools are described.