Why are consent tools often flawed?

Consent Tools often do not meet the requirements of the GDPR, as they do not correctly implement the specifications for the naming of purposes and durations of cookies. Furthermore, the data protection rules of many providers are not sufficiently considered.

What problems arise from the use of consent tools?

Most tested websites that use consent tools do not achieve GDPR compliance. This is often due to the fact that the tools do not provide the necessary information transparently or do not adequately protect user rights.

What is the main problem with using Consent Tools?

Consent tools are often not legally robust, as they do not guarantee the requirements for purpose specification and the voluntariness of consent. Many providers appear not to fully understand and implement the legal requirements.

Which websites require at least one additional click to utilize a rejection option regarding data collection, according to the article?

Do websites of ADAC, Commerzbank, digitalehelden.de, Euronics, FFH, Handelverbund, Heise-Regioconcept, Hertie and KIA require an additional click action to object to consent-required data assessments?

What problems were identified with some of the tested consent tools?

The test reveals that some consent tools, such as UserCentrics, have flawed implementations. This includes a lack of information regarding the cookies used, an unclear distinction between tracking and personalization, and the fact that revocation requests are not always effectively processed.

Why is the Google Tag Manager description problematic regarding the processing of personal data?

The description claims to not process personal data, despite IP addresses already being recorded when the Tag Manager is called. This statement is misleading and contradicts the reality of data collection.

What problems arise from the unclear specification of data recipients and their locations?

The provision of data recipients, particularly Alphabet Inc. and Google LLC, is inaccurate and incomplete. The lack of specification of addresses and corporate headquarters hinders transparency and the verification of data processing.

Why does the cookie revocation option often not work correctly?

The option to revoke is often implemented incorrectly and does not result in cookies actually being deleted. Instead, the services remain active without a proper revocation declaration being made.

Cookiegeddon: The failure of all (?) consent tools

A comprehensive practical test of popular consent tools for websites with test results. I checked the technical and legal requirements of the GDPR. Websites that use consent tools were tested.

Update August 2024: Basically, none of the mentioned problems are cured. Consent tools are still as bad as they have been years ago.

All tested websites, that use a popular consent tool, show serious flaws.
Test result, based on the tested websites that use a consent tool. Status: 31.12.2020

None of the tested websites showed data protection-friendly behavior. All tested websites were unable to achieve GDPR-compliance with the help of the consent tools used. Even websites from consent tool providers are among the negative examples.

Possible reasons for this result:

Consent tools are unsuitable for implementing the requirements of the GDPR
Many providers of Consent Tools appear not to know relevant data protection rules
The mere inclusion of a Consent Script is objectively not sufficient*
The operators of the websites rely too much on the consent tools and do not bother with data protection rules themselves

Hard facts in a nutshell:

Some regulations are already anchored in relevant laws and do not require subsequent clarification by judgments. Examples: Revocation notice where consent is requested (Art. 7 Sec. 3 GDPR); Mention of risks when transferring data to insecure third countries (Art. 44 GDPR)
Judgments like that of CJEU on cookies state that the purposes and duration of cookies must be named (Art. 13 GDPR).
Consent must be voluntary. Common sense says that for voluntariness, refusal should be as easy as consent. This is regularly stated in judgments. The ePrivacy Directive also states this. It is used, for example, at Google Analytics.
Providers of services used must be named. This is stipulated in law and also in judgments. A provider is only named when his company name, address, and country of company headquarters are named.
Data processing carried out, including the services used, must be explained (cf. Art. 13 GDPR).
The purpose of cookies that are managed by third-party services is known ad hoc only to these third parties. Unfortunately, these third parties often do not provide any information on the purposes of these cookies. In this respect, the user of a third-party tool may not be able to properly state the purposes.
For the lack of transparency in data protection information, such as that provided by the Google conglomerate, is liable (initially exclusively) the operator of a website that uses Google Tool.
A legally secure cookie management is basically not possible. My background article lists five reasons for this.
Update June 2021: Google itself admits that all Analytics data from Google Analytics is always processed in the USA. This was not taken into account during my tests, but it leads to even clearer findings.

If the owner of one of the websites mentioned thinks they have made improvements, please contact me. I will then publish an update in this article.

No one could name me a website that uses a popular consent tool and several services requiring consent that is GDPR-compliant.
My 100 euro bet that was never paid out.

Some argue that one can regulate everything with the settings of some consent tools. That is obviously either false or not implemented in practice, which amounts to the same thing. Whoever looks at the legal and terms of use of Google Tools a bit more closely will easily recognize where part of the problem lies.

Introduction

As Consent Tools are understood as aids with which a consent from a website visitor can be obtained for data processing operations before an otherwise unauthorized data processing takes place. Often, mistakenly, Cookie Consents are spoken of, although there are also other consent-required data processing operations besides cookies.

Websites that use the following so-called consent solutions were tested:

Borlabs Cookie
CCM19
consent manager
Cookiebot (see decision of the LG Wiesbaden, which declared Cookiebot unlawful)
Of course!
OneTrust / Optanon / Cookie Law
Usercentrics (active together with Cookiebot since 01.09.2021)

Websites that use Consent Tools (seven other websites are not mentioned by name):

Websites that use consent requests (instead of cookiebot.de, cookiebot.com is correct). Image was automatically translated.

Of these 24 websites plus the seven others, a total of 20 websites were tested. I have to say, however, that a brief visual inspection of the websites that were not officially tested did not reveal any great satisfaction due to particularly good implementation of the relevant data protection regulations. Additional websites inspected after the publication of this article paint the same picture. This also applies as of August 2021.

Read full article now via free Dr. GDPR newsletter.

More extras for subscribers:
Offline-AI · Free contingent+ for Website-Checks

Already a subscriber? Click on the link in the newsletter & refresh this page.

↓

Subscribe to Newsletter