Drücke „Enter”, um zum Inhalt zu springen.
Hinweis zu diesem Datenschutz-Blog:
Anscheinend verwenden Sie einen Werbeblocker wie uBlock Origin oder Ghostery, oder einen Browser, der bestimmte Dienste blockiert.
Leider wird dadurch auch der Dienst von VG Wort blockiert. Online-Autoren haben einen gesetzlichen Anspruch auf eine Vergütung, wenn ihre Beiträge oft genug aufgerufen wurden. Um dies zu messen, muss vom Autor ein Dienst der VG Wort eingebunden werden. Ohne diesen Dienst geht der gesetzliche Anspruch für den Autor verloren.

Ich wäre Ihnen sehr verbunden, wenn Sie sich bei der VG Wort darüber beschweren, dass deren Dienst anscheinend so ausgeprägt ist, dass er von manchen als blockierungswürdig eingestuft wird. Dies führt ggf. dazu, dass ich Beiträge kostenpflichtig gestalten muss.

Durch Klick auf folgenden Button wird eine Mailvorlage geladen, die Sie inhaltlich gerne anpassen und an die VG Wort abschicken können.

Nachricht an VG WortMailtext anzeigen

Betreff: Datenschutzprobleme mit dem VG Wort Dienst(METIS)
Guten Tag,

als Besucher des Datenschutz-Blogs Dr. DSGVO ist mir aufgefallen, dass der VG Wort Dienst durch datenschutzfreundliche Browser (Brave, Mullvad...) sowie Werbeblocker (uBlock, Ghostery...) blockiert wird.
Damit gehen dem Autor der Online-Texte Einnahmen verloren, die ihm aber gesetzlich zustehen.

Bitte beheben Sie dieses Problem!

Diese Nachricht wurde von mir persönlich abgeschickt und lediglich aus einer Vorlage generiert.
Wenn der Klick auf den Button keine Mail öffnet, schreiben Sie bitte eine Mail an info@vgwort.de und weisen darauf hin, dass der VG Wort Dienst von datenschutzfreundlichen Browser blockiert wird und dass Online Autoren daher die gesetzlich garantierten Einnahmen verloren gehen.
Vielen Dank,

Ihr Klaus Meffert - Dr. DSGVO Datenschutz-Blog.

PS: Wenn Sie meine Beiträge oder meinen Online Website-Check gut finden, freue ich mich auch über Ihre Spende.
Ausprobieren Online Webseiten-Check sofort DSGVO-Probleme finden

Cookiegeddon: The failure of all (?) consent tools

0
Dr. DSGVO Newsletter detected: Extended functionality available
More articles · Website-Checks · Live Offline-AI
📄 PDF for this post
📄 Article as PDF (only for newsletter subscribers)
🔒 Premium-Funktion
Der aktuelle Beitrag kann in PDF-Form angesehen und heruntergeladen werden

📊 Download freischalten
Der Download ist nur für Abonnenten des Dr. DSGVO-Newsletters möglich
Cookiegeddon
Cookie banners regularly lead to illegal websites (image was automatically translated).

A comprehensive practical test of popular consent tools for websites with test results. I checked the technical and legal requirements of the GDPR. Websites that use consent tools were tested.

Update August 2024: Basically, none of the mentioned problems are cured. Consent tools are still as bad as they have been years ago.

All tested websites, that use a popular consent tool, show serious flaws.

Test result, based on the tested websites that use a consent tool. Status: 31.12.2020

None of the tested websites showed data protection-friendly behavior. All tested websites were unable to achieve GDPR-compliance with the help of the consent tools used. Even websites from consent tool providers are among the negative examples.

Possible reasons for this result:

  • Consent tools are unsuitable for implementing the requirements of the GDPR
  • Many providers of Consent Tools appear not to know relevant data protection rules
  • The mere inclusion of a Consent Script is objectively not sufficient*
  • The operators of the websites rely too much on the consent tools and do not bother with data protection rules themselves

Hard facts in a nutshell:

  • Some regulations are already anchored in relevant laws and do not require subsequent clarification by judgments. Examples: Revocation notice where consent is requested (Art. 7 Sec. 3 GDPR); Mention of risks when transferring data to insecure third countries (Art. 44 GDPR)
  • Judgments like that of CJEU on cookies state that the purposes and duration of cookies must be named (Art. 13 GDPR).
  • Consent must be voluntary. Common sense says that for voluntariness, refusal should be as easy as consent. This is regularly stated in judgments. The ePrivacy Directive also states this. It is used, for example, at Google Analytics.
  • Providers of services used must be named. This is stipulated in law and also in judgments. A provider is only named when his company name, address, and country of company headquarters are named.
  • Data processing carried out, including the services used, must be explained (cf. Art. 13 GDPR).
  • The purpose of cookies that are managed by third-party services is known ad hoc only to these third parties. Unfortunately, these third parties often do not provide any information on the purposes of these cookies. In this respect, the user of a third-party tool may not be able to properly state the purposes.
  • For the lack of transparency in data protection information, such as that provided by the Google conglomerate, is liable (initially exclusively) the operator of a website that uses Google Tool.
  • A legally secure cookie management is basically not possible. My background article lists five reasons for this.
  • Update June 2021: Google itself admits that all Analytics data from Google Analytics is always processed in the USA. This was not taken into account during my tests, but it leads to even clearer findings.

If the owner of one of the websites mentioned thinks they have made improvements, please contact me. I will then publish an update in this article.

No one could name me a website that uses a popular consent tool and several services requiring consent that is GDPR-compliant.

My 100 euro bet that was never paid out.

Some argue that one can regulate everything with the settings of some consent tools. That is obviously either false or not implemented in practice, which amounts to the same thing. Whoever looks at the legal and terms of use of Google Tools a bit more closely will easily recognize where part of the problem lies.

Introduction

As Consent Tools are understood as aids with which a consent from a website visitor can be obtained for data processing operations before an otherwise unauthorized data processing takes place. Often, mistakenly, Cookie Consents are spoken of, although there are also other consent-required data processing operations besides cookies.

Websites that use the following so-called consent solutions were tested:

  • Borlabs Cookie
  • CCM19
  • consent manager
  • Cookiebot (see decision of the LG Wiesbaden, which declared Cookiebot unlawful)
  • Of course!
  • OneTrust / Optanon / Cookie Law
  • Usercentrics (active together with Cookiebot since 01.09.2021)

Websites that use Consent Tools (seven other websites are not mentioned by name):

Websites that use consent requests (instead of cookiebot.de, cookiebot.com is correct). Image was automatically translated.

Of these 24 websites plus the seven others, a total of 20 websites were tested. I have to say, however, that a brief visual inspection of the websites that were not officially tested did not reveal any great satisfaction due to particularly good implementation of the relevant data protection regulations. Additional websites inspected after the publication of this article paint the same picture. This also applies as of August 2021.

All Consent Tools seem to be generating bull on websites!

Conclusion from my test result

Even larger companies are unable to comply with binding data protection laws, resulting in a poor test outcome.

The following websites using a consent tool require at least one more click, to refuse consent-related processes than to agree to them (as of 30.12.2020):

  • adac.de
  • commerzbank.de
  • digitalehelden.de
  • euronics.de
  • ffh.de
  • haendlerbund.de
  • heise-regioconcept.de
  • hertie.de
  • kia.com
  • springer.com

Apparently, the operators of these websites consider it more important to obtain user data than to offer a simple opt-out option for consent-based data collection. This is, in my opinion, clearly unlawful. The LG Rostock sees it that way too. Spoiler: The ECJ and the BGH regularly issue judgments that are in favor of consumers.

This online article is an extract from an even more extensive PDF document, which contains further screenshots and supporting documents.

Test procedure

Tested were websites that use one of the more popular consent tools. Which tools are popular was decided subjectively. Hereby, experience from more than 1000 tested websites was taken into account. Likewise, Klaro! was included in the test because it is open-source and the provider comes from Germany. Some other open-source solutions have not been further developed for some time now and were therefore not considered.

The tests were carried out in the period from 08.12.2020 to 31.12.2020. As I can see every day, the results are still as up-to-date as they were in August 2021.

The mentioned websites were examined both manually as well as with my own tools. The tool scans the respective website and reads only a few sub-pages for the test. In this process, the loaded tools and files without consent and the cookies set without consent are detected.

The automatically obtained results were manually verified. In particular, the following criteria were checked manually.

Test criteria

The following criteria were examined favorably from the perspective of a German-speaking citizen accessing a website:

  • Voluntary consent or refusal
  • Loading services without consent
  • Description of services used
  • Classification of services used
  • Naming of service providers
  • Naming and description of cookies used
  • Notification of the transfer of data to third countries
  • Information on the right of withdrawal
  • Possibility of revocation after consent
  • Revocation after consent

See also my checklist for consent requests on websites, which mentions some legal bases.

Test results

The websites tested are always listed in alphabetical order and are not ranked. The results for the tested websites are given anonymously in the form of letters: Website A, Website B, etc.

Among the tested websites are also those of providers of Consent Tools, which use their own tool. Since provider websites, just like third-party users of the tool, have significant flaws regarding the consent solution, it can be assumed that some providers do not sufficiently know the legal bases or that the offered tools are unsuitable to obtain a legally compliant website.

The following test results are organized by Consent Tool.

UserCentrics

Websites using UserCentrics:

  • adac.de
  • commerzbank.de
  • usercentrics.com
  • www-ag.com
  • and one other (which may be mentioned below)

Some of these websites were tested and evaluated below.

Website E

The consent window of the website looks like this:

Consent window of the website E (image was automatically translated).

After clicking on "Information & settings", the following pop-up appears:

Privacy settings on website E (image was automatically translated).
Findings
  • No voluntary decision possible: Rejecting is not as simple as accepting. It appears unlawful (cf. judgment of the LG Rostock).
  • Missing explanation of used cookies: Very embarrassing for a tool that is used as "Cookie Banner" and can be configured by calling "Cookie Settings", is that both the Cookie Settings and the Data Protection Declaration contain no information about the used cookies from Google Analytics and other services loaded on website E.
  • Loading tools without consent: Without consent loaded are Google Tag Manager, YouTube Video, DoubleClick, Google Universal Analytics, GA Audiences. For Google Analytics a consent is requested. Irresponsible goes it hardly, to put it politely.
  • Revocation is not executed: A revocation of previously granted consent does not lead to revocation. It was found that cookies requiring consent were still set even after the revocation.
  • Unclear Terminologies: A normal citizen, and also a PhD holder in computer science, has difficulties understanding what exactly the difference between Tracking, Personalization and Marketing is supposed to be. Under Tracking, Google Analytics is listed, which is also a marketing tool. In the section on Personalization, Hotjar is listed, a tracking tool. This appears when one clicks on the category name in the consent tool. Similarly, Google Optimize is mentioned, a tool for A/B tests. With this, content is optimized for individual target groups. This cannot be understood as personalization from the perspective of an individual user who visits a website, but rather at most as advertising optimization. Even more confusing and completely outside any comprehensibility is the classification of Google Analytics Statistics into the category Statistics and of Google Analytics into the category Tracking. Where the difference between Google Analytics Statistics and Google Analytics lies, is completely unclear and does not even become clear to an expert. A call for help by clicking on the question mark reveals that this tool is a "web analysis and statistics service […]" which is used for analyzing website usage and measuring reach. And that it uses "cookies" and "pixel tags". For Google Analytics only "cookies" are listed as "used technologies", thus less than for the other (?) tool, which allegedly does not require consent. It is explained for Google Analytics that it is a "web analysis service", but not also a statistics service, like the other (?) tool, which allegedly does not require consent.
  • Unlawful pre-selection: In the category Statistics, it is called Google Analytics Statistics. This tool is pre-selected (pre-activated). This is unlawful according to EU Court ruling on cookies, considering that already before consent, Google Analytics sets cookies. Furthermore, a data transfer to insecure third countries (such as the USA) without prior consent and without suitable guarantees is unlawful (cf. EU Court ruling on Privacy Shield as well as a criteria catalog by noyb for an individual assessment of the lawfulness of data transfers to the USA).
  • Incorrect classification: In the category Technisch erforderlich is listed Google Tag Manager. This tool serves for dynamic reloading of other tools, so it has no function itself. Of course, all tools that are indirectly loaded with Google Tag Manager can also be loaded directly.
  • Inconsistent explanations: For Google Analytics Statistik and for Google Analytics, it is explained equally that the "place of processing" is the "European Union". Furthermore, it is explained that "Alphabet Inc." is one of the data recipients. As is well known, the seat of Alphabet Inc. is in the USA, so not in the European Union. For Google Analytics Statistik, only "Alphabet Inc." is listed as a data recipient, whereas for Google Analytics also "Google LLC" and "Google Ireland Limited" are listed. Justifying this to be plausible would be almost impossible. Why the place of processing for the Google Tag Manager is given as "United States of America" and for Google Analytics as "European Union", cannot be understood. This statement is objectively exposed as nonsense, since Google Analytics is only loaded through the Google Tag Manager.
  • Inadequate provider information: Data recipients are specified as "Google LLC" etc. The address is not specified. The address is only given (at least!) for the "processing company".
  • Suspicious explanation of services: The Google Tag Manager is described as follows: "This is a tag management system for managing JavaScript- and HTML-tags that are used to implement tracking and analysis tools. No personal data is processed. The tag manager is a cookie-free domain and does not collect any personal data. However, the Google Tag Manager can trigger other tags that may collect and process personal data." This description is first incorrect because personal data in the form of IP addresses is already collected when calling the Google Tag Manager. Second, the description is not understandable. A normal citizen does not know what JavaScript-tags are. In addition, there are no JavaScript-tags as a fixed term.
  • Inadequate provision for data transmission in third countries: A provision is made here only indirectly, by giving names and forms of companies, but not mentioning their address and the country of the company's seat. Example: Alphabet Inc.
  • Missing mention of cookie information: Basic information is missing for almost all cookies used, both in the consent form of website E and in its privacy policy. A separate "cookie policy", as provided by some websites, is not to be found.
  • Non-clickable links: On the privacy policy of website E, important links such as "Data usage by the Google Inc." are not clickable.

Website F

The consent window of the website looks like this:

Consent window of the website F (image was automatically translated).
Findings:
  • Deferring the opt-out option: The opt-out button is labeled "View and change cookie settings" and is visually set back considerably compared to the accept button. This contradicts the legal opinion of the Rostock Regional Court (judgment of 15.09.2020 – 3 O 762/19).
  • Questionable global request for consent: Consent is obtained via the consent window not only for website F, but also for other websites of the operator. Whether this is permissible is questionable. In addition, the same consent would then have to be requested on the other websites or it would always have to be possible to revoke the consent of the other websites.
  • Unauthorized loading of tools without consent: Without consent loaded are Google Tag Manager, Google Fonts, Google Ads, YouTube Videos and DoubleClick. For _DoubleClick a consent is requested, which however is not always taken into account, as an analysis of the website F showed. When loading YouTube Videos without consent third-party cookies are set, which have partly a lifespan of over 18 years.
  • Partial unavailability of the revocation option: The revocation option can be accessed via a link in the footer of the F website. However, this link does not work if the page currently displayed is the privacy policy. This means that – strictly speaking – the withdrawal option is not available.
  • Revocation is not fully executed: If you consent to all processes, then call up the consent popup again and then revoke all processes, the website is not reloaded. The services that have already been revoked are still active. At least one third-party cookie requiring consent, which was only set after consent was given, is still present. If the website is reloaded manually, the revoked services are no longer active, but the aforementioned cookies are still present.
  • Non-functioning opt-out possibility for Google Analytics: Outside of the Consent Tools there is in the data protection declaration a seeming possibility to deactivate the data collection by Google Analytics (via a button Google Analytics deaktivieren). When you click on the green button, apparently nothing happens, except that a confirmation text is displayed as a popup. A cookie, as suggested in the image, is not set. Apart from that, an Opt-Out Cookie is a thinkable bad possibility to prevent data collection by a third-party service.
  • Missing explanation of used cookies: It might be coincidence that all investigated websites using UserCentrics do not display cookie information, maybe it's due to UserCentrics itself. Both the Cookie Banner as well as the Cookie Settings as well as the Data Protection Declaration contain no information about the used cookies.
  • Unclear Cookie Category: The website F also issues Tech-Cookies in the category Technical, functional cookies serving purposes of commission and settlement. This term has never been encountered by the author despite years of involvement with data protection on the internet. The term is generally unclear, unclear and is supposed to refer to technically oriented cookies.
  • Unclear necessary Cookies: Since the website F provides no technical information on the cookies such as name, purpose, description or lifespan, one can only guess what the following explanation of allegedly technically necessary cookies is supposed to mean: The XYZ Company uses these cookies to simplify the use of the XYZ Company websites: With the help of cookies, the XYZ Company can recognize you again based on previous visits when you visit the XYZ Company website again. Recognizing a user in itself is allowed. However, it is questionable how this happens. The cookie that obviously only persists beyond a session stores the language setting anyway. This would have been mentioned for one's own benefit if that was meant by the above explanation.
  • Missing privacy notices: On the website F's data protection declaration, there are no data protection texts for services used, including YouTube videos. The Google Tag Manager is not explicitly explained, but only implicitly mentioned as a helper construct when services are played out by the Tag Manager. The reason for this is probably that a cookie-centered approach to data protection was chosen, which apparently causes problems.
  • Lack of information on data transfer to third countries: There is no direct information on this in the consent query, although services are used that transfer data to third countries. Instead, provider details are given with the country. It is questionable whether the registered office of the named provider is the same as the country to which data is (exclusively) transferred by the service used.
  • Missing mention of cookie information: Apparently, almost all information on cookies used is missing, both in the consent form of website F and in its privacy policy. A separate "cookie policy", as provided by some websites, is not to be found.

Website G

The consent window of the website looks like this:

Consent window of the website G (image was automatically translated).
Findings
  • Inadmissible deferral of the reject option: the reject button was intentionally made less prominent than the "Accept and close" button. Both the color scheme and the size of the reject button are set back.
  • Incorrect designation of data protection officer: For the Matomo service, the email address of the data protection officer is given as privacy@matomo.org. This is obviously nonsense, since this service is hosted and operated by the operator of website G (as he has explained). Correct would be to specify one's own email address. Another example of an incorrectly designated data protection officer can be found with the service Google Ads Conversion Tracking. There, the mail address is given in the form of a link to a privacy policy. When you click on the link, the email program opens because the link is designed as a mailto-link.
  • Loading tools without consent: Already when loading the website G and without clicking on anything, the tools Lead Feeder, Google Fonts and Google reCAPTCHA are loaded. Regarding Google reCAPTCHA, it is explained that data transmission to recipients worldwide takes place. This suggests a consent-obligatory process that is not acknowledged. It becomes even more obscure because there is a link provided with the description "Click here to revoke on all domains of the processing company". Firstly, the meaning of this sentence is questionable and secondly, the question arises as to why a revocation for a supposedly non-consent-obligatory service is necessary. Lead Feeder is always loaded, regardless of whether consent has been given or not. This contradicts the explanation in the Consent Popup from website G. Regarding Google Tag Manager, website G explains that the place of processing is "United States of America" and that there is a "transmission to third countries = worldwide". Sounds very much like a consent-obligatory process.
  • Inadequate specification of data recipients: For the Google Tag Manager, website G lists Alphabet Inc., Google LLC and Google Ireland Limited as data recipients. One has to guess the addresses and countries themselves.
  • The purpose of YouTube Videos is explained by the consent popup from website G in an insufficient manner (details omitted here, they are verifiable). For the service „StackPath LLC“ (presumably StackPath, as StackPath LLC is the offering company), a description is given: „StackPath is a platform for computer infrastructure and services.“. The author doubts that this description is sufficient enough. What purpose a service serves on a website that focuses on „computer infrastructure“ appears completely unclear.
  • Incomprehensible general description: The introductory sentence in the consent popup reads "This tool allows you to select and disable various tags / trackers / analysis tools used on this website.". Obviously, this sentence is not generally understandable. Nobody needs to know what "tags" are and what the difference between "trackers" and "analysis tools" is. Describing a consent window to the user as a tool is also not the most comprehensible of all conceivable descriptions.
  • Revocation is not fully executed: If you consent to all processes, then call up the consent popup again and then revoke all processes, the website is not reloaded. The services that have already been revoked are still active. Some cookies requiring consent, which were only set after consent was given, are also still present. If the website is reloaded manually, the revoked services are no longer active, but the aforementioned cookies are still present.
  • Missing mention of cookie information: Apparently (all ?) information on cookies used is missing, both in the consent form of website G and in its privacy policy. A separate "cookie policy", as provided by some websites, is not to be found.

Borlabs Cookie

Found websites using _Borlabs Cookie:

  • bondzio.de
  • braeutigam-hotel.de
  • heise-regioconcept.de
  • mediana.de
  • and one other (which may be mentioned below)

Some of these websites were tested and evaluated below.

Website A

The consent window of the website looks like this:

Consent window of the website A (image was automatically translated).
Findings
  • No voluntary decision possible: A direct refusal is not possible. This appears to be unlawful.
  • Loading tools without consent: Already when loading the website A and without clicking anything, the tools Google Analytics and Google+ are loaded. Also loaded are Google Fonts from the Google Server.
  • Missing information about tools used: The tools mentioned in the previous section, Google Analytics, Google+, and Google Fonts, are not even mentioned in the consent popup, nor in the category "Essential" (Details on categories will be displayed after clicking on the text "Configure").
  • Inadequate provider information: The provider information for the tools used is inadequate. As the provider of the Facebook Pixel, Facebook is named. An address or form of business statement is missing. Here alone, the question arises as to which of the many Facebook companies could be meant.
  • Inadequate description of purpose: As purpose for the Facebook Pixel is stated: "The Facebook-Pixel is an analysis tool. You can measure the effectiveness of your advertising by analyzing the actions that people take on your website." Here, the visitor to the website is addressed as if he himself would use the Facebook Pixel to optimize advertising. The statement "The Facebook-Pixel is an analysis tool." is insufficient because it is not generally understandable and not complete. The following sentence is wrong, because: The Facebook Pixel is especially used to identify visitors as Facebook users in order to target them (later) with ads on Facebook (as Retargeting called).
  • Inadequate cookie description: The name of the cookie is specified as Facebook Pixel. That's wrong. The actual name of the cookie is fbp. The lifespan of the cookie is missing. This information, however, is required according to EU Court ruling on cookies.

Website B

The consent window of the website looks like this:

Consent window of the website B (image was automatically translated).
Findings
  • Deferring the reject option: The reject button is labeled "save & close" and visually set back considerably compared to the accept button. This appears to be unlawful, or at least intentionally detrimental to the user
  • Loading tools without consent: Without consent, Google Fonts and Google Maps are loaded. In contrast, website B's privacy policy incorrectly states: "This page uses so-called web fonts for uniform display of fonts, which are provided by Google. The Google Fonts are locally installed. No connection to Google servers takes place.
  • Suspicious necessary cookie with unique user identification: the cookie named __cfduid_ and with a value from a 43-character string with a lifespan of 30 days is set without consent. The string is at least suitable to identify a user uniquely.
  • Missing explanation for used cookies: For some cookies, the lifespan is not specified. For example, a cookie list without lifespan specifications and without purposes of the cookies is provided for the service "Chat function via tawk.to": "cfduid, ss, tawkUUID, TawkConnectionTime, TawkCookie, _cfduid".
  • Inadequate provider specification: The provider specification for the tools used is inadequate. Apparently, the address of the providers mentioned is missing. It remains unclear why Google LLC is named as a provider of a Facebook service, especially since there was no Facebook service to be found on the website.
  • Inadequate and false description of purpose: As a name for a service, "Contribute from Facebook represents" is named, as purpose "Is used to unlock Facebook content". What this is supposed to mean remains unclear, especially since a Facebook service was not found on the website. For Matomo, the purpose is described as follows: "Cookie from Matomo for website analysis. Generates statistical data about how the visitor uses the website." A service like Matomo is no cookie. A cookie generates no data. The execution is therefore wrong in every respect and does not name the purpose of Matomo, but only the supposed purpose of the Matomo-cookie, which does not exist (since Matomo sets three cookies on website B, which are generically listed as _pk_*. in the consent popup, which can be considered unlawful, especially since a runtime of 12 months is specified, which is wrong).
  • Revocation is not fully executed: If you consent to all processes, then call up the consent popup again and then revoke all processes, the website is not reloaded. The services that have already been revoked are still active. All cookies requiring consent according to the consent popup, which were only set after consent was given, are still present. If the website is reloaded manually, the revoked services are no longer active, but all cookies set after consent are still present.
  • Lack of information on the revocation option: In the consent popup, there is no reference to a revocation option.
  • Lack of information on data transfer to third countries: There is no information on this in the consent query, although services are used that transfer data to third countries.

Website C

Consent window of the website C (image was automatically translated).
Findings
  • Lack of information on the possibility of revocation: There is no reference to the possibility of revocation.
  • Deactivating the opt-out option: The opt-out button is labeled "Accept essential cookies only" and is half the height of the opt-in button. In addition, the consent button is made more prominent with arrows. This appears unlawful, even if website C is better positioned than many others.
  • Incorrect classification of tools: Google Analytics is included in the category Statistics. The correct category would be Marketing, since the tool operates with cookies and leads a unique client ID per user.
  • Inadequate provider specification: For the provider Google LLC, which is specified for Google Analytics, the company name is missing. The mentioned purpose "Cookie from Google for website analysis. Generates statistical data about how the visitor uses the website" is unsuitable, to describe the service Google Analytics.
  • Missing explanation of used cookies: There is no description for the three mentioned cookies ga, _gat, _gid. The purpose stated there only refers to one cookie (which one?). The mentioned "_Cookie Laufzeit" of 2 years only refers to one of the three cookies, the other two have different expiration times. Furthermore, a cookie named _gat_gtag_UA_xxxx_1 is set, which is not explained. In contrast, the cookie _gat is explained, although it is not set.
  • Missing privacy notices: The data protection policy of website C is missing an explanation for the Google Tag Manager. The reason for this is probably that a cookie-centered approach to data protection has been chosen, which apparently causes problems.
  • Revocation is not fully executed: If you consent to all processes, then call up the consent popup again and then revoke all processes, the website is not reloaded. The services that have already been revoked are still active. All cookies requiring consent according to the consent popup, which were only set after consent was given, are still present. If the website is reloaded manually, the revoked services are no longer active, but all cookies set after consent are still present.
  • Lack of information on data transfer to third countries: There is no information on this in the consent query, although services are used that transfer data to third countries.

consent manager

Websites that use a consent manager:

  • consentmanager.de
  • ffh.de
  • haendlerbund.de
  • mitsubishi-motors.de
  • and one other (which may be mentioned below)

Some of these websites were tested and evaluated below.

Website H

The consent window of the website looks like this:

Consent window of the website H (image was automatically translated).
Findings
  • Excessive number of supposedly purely functional cookies: More than 10 cookies are mentioned which, according to the consent window of website H, are supposedly "purely functional and necessary for the operation of the website or certain functions".
  • Lack of explanation for used cookies: The descriptions of the explained cookies are not listed. Indicating a lifespan with a dash is highly questionable and probably insufficient. In the privacy policy of website H, there is a description of some (not all) cookies. Example: “_cmpcpc*”/“_cmppurposes” – Information about selected purposes. This description appears to be unclear and incomplete. Why the cookie “euconsent_backup” must be a backup copy** of the cookie “euconsent”, the provider of website H will certainly be able to explain on request.
  • Inadequate cookie disclosure: The naming of _gat_* for Google Analytics cookies does not meet regulations because the name is unclear and the provided information, such as expiration time for this generic statement, can be false. Additionally, a cookie named _ga is listed twice with different domains, unnecessarily named in English ("Domain"), which may confuse German visitors who do not need to understand English. During testing, only one cookie named _ga was found. Also missing are the descriptions for all mentioned cookies. The statement "Type: Measurement" is certainly not enough. What is being measured, why, and why with five cookies?
  • Inadequate naming of services: The naming of the used services takes place in form of categories and providers. Under "All Providers" is listed what would be better called as "Services": e.g. Google Ads, Google Analytics, Google General, LinkedIn. Reads like services, but not like providers. What Google General should be, probably nobody knows.
  • Inadequate description of services used: For Google General, it is stated as "Purpose of data processing": "Measurement". Further explanations are not found in the consent window. The same is explained for Google Analytics. Further explanations are also not found here.
  • Inadequate data protection statement: Who wants to know what Microsoft is supposed to mean, finds as a description "Measurement". In the German-speaking data protection statement of the website H, there is the following description for Microsoft: Measurement. Now everything should be clear
  • Revocation is not fully executed: If you consent to all processes, then call up the consent popup again and then revoke all processes, the website is not reloaded. The services that have already been revoked are still active. All cookies requiring consent according to the consent popup, which were only set after consent was given, are still present. If the website is reloaded manually, the revoked services are no longer active, but all cookies set after consent are still present.
  • Unauthorized loading of tools and cookies without consent: Without consent, YouTube Videos, DoubleClick, Calendly, Google Translate, Google Fonts and a script from the domain google.com. are loaded. Similarly, on at least one page of the website H, the service etracker is loaded without consent, although consent is requested for it. YouTube and DoubleClick set third-party cookies without consent.
  • Missing privacy notices: For DoubleClick, Calendly and Google Fonts there are no indications in the website's data protection policy of H.
  • Lack of information on data transfer to third countries: There is no information on this in the consent query, although services are used that transfer data to third countries. Instead, provider details are given with the country. It is questionable whether the registered office of the named provider is the same as the country to which data is (exclusively) transferred by the service used. In addition, the country name is not written out in full, but given in the form of an ISO abbreviation.

Website J

The consent window of the website looks like this:

Consent window of the website J (image was automatically translated).
Findings
  • No voluntary decision possible: a direct refusal is not possible. This appears to be unlawful.
  • Unauthorized loading of tools and cookies without consent: Without consent loaded are Google Tag Manager, YouTube Video, DoubleClick, Twitter Widget, Google Fonts, Google reCAPTCHA, a JavaScript library from the domain googleapis.com, several files from cloudflare.com and service named Giosg. Likewise is on at least one page of website H the service etracker loaded without consent, although consent is requested. YouTube and DoubleClick set third-party cookies without consent.
  • Incorrect categorization of services: The categories listed in the consent window of website J are: "Essential": "Purpose: Essential", "Function": "Purpose: Function. Services that are necessary for the use of website functions.", "Measurement": "Purpose: Measurement", "Marketing": "Purpose: Marketing". The descriptions mentioned here are the original description of website J. Obviously, these descriptions are partially incorrect. "Functions" supposedly necessary for the website can be deactivated. The descriptions for "Measurement" and "Marketing" are not available; instead, the category name is repeated to explain the purpose.
  • Lack of explanation of services used: Apparently there is no description of what "Facebook" is supposed to be.
  • Missing description of used cookies: The purpose of used cookies is missing. Instead, the reader learns exactly on the minute that for example the cookie named ATN has a lifespan of 729 days, 23 hours and 50 minutes. As type for the cookie fr , [unknown] is specified.
  • Missing explanation for used cookies: For Google Analytics two cookies are listed – without description of purpose – namely ga and gid. In reality, however, two further cookies are set, namely gcl_au and gat_UI-xxxxx-1. For the mysterious service Facebook it is explained that besides the cookie __fbp_, which is actually set, also the cookies ATN and fr are set, which were not set during the test by the author along with automated analysis. The ATN-cookie at least is completely unknown in public after a research. Since the purpose is not described, further investigation is not possible. For YouTube no cookies are mentioned in the consent window, although in reality two are set, namely YSC and VISITOR_INFO1-LIVE.
  • Incorrect provider identification: For the provider of "Facebook" (meaning Facebook Connect and Facebook Audiences, as an analysis shows) a Spanish address is given. Such a company seems not to exist (and if it does, one wonders why a German website has a Spanish partner at Facebook). Rather, the address appears to have been searched for on the internet and to come from a Facebook fan page of a taxi service in Spain, as my research found. In the data protection declaration of J is the Facebook Pixel listed and assigned to the provider Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. This previously mentioned statement about the provider is therefore contradictory, misleading, and false.
  • Missing mention of services used: As previously described, the services Facebook Connect and Facebook Audiences are summarized into a single service with the alleged name Facebook.
  • Inconsistent data protection statement: In the data protection statement of website J, it is stated about Google Tag Manager: We use on our website the Google Tag Manager of Google LLC. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“). S_ince you have your usual residence in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Irland) is responsible for your data. Google Ireland Limited is therefore the associated company with Google, which is responsible for processing your data and complying with applicable data protection laws._.
  • Insufficient revocation option: It is not possible to revoke all consents given with a single click. Instead, all categories must be clicked on one after the other, so that a manual deactivation can then take place for each category. This requires eight clicks.
  • Revocation is not fully executed: If you consent to all processes, then call up the consent popup again and then revoke all processes, the website is not reloaded. The services that have already been revoked are still active. All cookies requiring consent according to the consent popup that were only set after consent was given are still present. If the website is reloaded manually, the revoked services are no longer active, but all cookies that were only set after consent – including cookies from third parties and third-party domains – are still present.
  • Lack of information on data transfer to third countries: There is no information on this in the consent query, although services are used that transfer data to third countries. Instead, provider details are given with the country. It is questionable whether the registered office of the named provider is the same as the country to which data is (exclusively) transferred by the service used. In addition, the country name is not written out in full, but given in the form of an ISO abbreviation.

Website K

The consent window of the website looks like this:

Consent window of the website K (image was automatically translated).

Cookiebot

Found websites using Cookiebot:

  • cookiebot.de
  • werdewelt.info
  • techem.de
  • and one other (which may be mentioned below)

Some of these websites were tested and evaluated below.

A brief evaluation of the IP address (72.246.29.131), which was called when loading the Cookiebot-Script from consentcdn.cookiebot.com, has shown:

Call chain for loading a cookiebot script

According to Traceroute, the mentioned network address is based in the USA. This may be so, but it does not have to be true, because IP addresses are sometimes released again and re-allocated. The probability that an American address will pop up on one of a thousand calls to a Cookiebot script seems quite high anyway. For this reason alone, I would recommend looking for another solution.

Website X

The consent window of the website looks like this:

Consent window of the website X (image was automatically translated).
Findings
  • Lack of information on the revocation option. There is no reference to the possibility of withdrawal.
  • Loading tools without consent: Already when loading the website X and without clicking anything, the services Gravatar, Google Analytics and Google Tag Manager are loaded. For both mentioned Google services a consent is requested. Gravatar is nowhere mentioned.
  • Incorrect assignment of services to providers: For example, Google Tag Manager, a service and not a company, is named as provider for a Google Analytics cookie, just like Google is named as provider, whoever or whatever Google may be.
  • Missing provider information: Provider identification including company information is missing for all services!
  • Inadequate cookie information: For some cookies, a life span is specified using an unintelligible, insufficiently specific term, namely Persistent. The term "Persistent" is not understandable for the average user. It also says nothing about the actual lifespan, because it cannot be infinite. The specification of "HTML" as a cookie type is nonsense. There are no such cookies. What is probably meant is HTML Web Storage and in this context Local Storage (a term that an ordinary user should not have to understand).
  • Missing privacy notices: For the services Google Analytics, Google Tag Manager, YouTube Videos, DoubleClick, Google Dynamic Remarketing, Gravatar and Zendesk there are no descriptions in the privacy policy. In general, not a single used service is mentioned in the privacy policy. In a separate Cookie Declaration, which however cannot be linked from some sides and thus cannot be reached, services are given, but only if one is mentally prepared to consider the specification of an operator per cookie as a service.
  • Questionable necessary cookies: 28 cookies are listed as necessary and therefore cannot be deselected. It is doubtful whether so many cookies are necessary for the minimal operation of the website.
  • Difficult to find revocation option: The possibility of revoking is not mentioned in the consent popup. In addition, you have to call up the page with the Cookie Declaration first and then find and click on the link "Revoke your consent" in the middle of the text there.
  • Revocation is not fully executed: When reloading the website manually, some of the cookies set before revocation are still present. This appears to be unlawful because the revocation was partially ignored. Only the services that were no longer consented to will no longer be reloaded, with the exception of Google Analytics, Google Tag Manager and Gravatar, which are still being loaded. If one reloads website X and grants consent again at some point, for example for Google Analytics, this service can fall back on cookies from a previous session. User tracking is thus still possible. Otherwise, the same user would be officially (according to Google) considered as two different users in these two sessions.
  • Unclear cookie description: For the cookie _gat [x4] the purpose is stated as: “Used by Google Analytics to throttle request rate.”. This statement is even unclear for an IT expert. What the notation [x4] behind the cookie name means remains unclear. For the cookie ads/ga-audiences the purpose is stated as: “Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.”. A German user does not have to understand English.
  • Uncertain classification of services/cookies: In the category Marketing , YouTube is mentioned among other things.
  • Focus on cookies instead of services: It is noticeable that website X apparently only considers cookies to be relevant to data protection: There is no information on services used in the consent query; there is no information on services used in the privacy policy; services that ostensibly do not set cookies are not mentioned at all.
  • Unclear display: If the user wants to view all the information in the consent window, they have to scroll through a tiny display area that remains tiny even at large screen resolutions. This seems unreasonable and is therefore probably unlawful.
  • Lack of information on data transfer to third countries: There is no information on this in the consent query, although services are used that transfer data to third countries.

Website Y

The consent window of the website looks like this:

Consent window of the website Y (image was automatically translated).
Findings
  • Unauthorized preselection: As the illustration shows, all options are activated. A direct click on the "Allow selection" and "Allow cookies" buttons is therefore equivalent and therefore not privacy-friendly.
  • Lack of information on the revocation option: As the illustration shows, there is no indication of a revocation option.
  • Incorrect naming of cookies: The detail view shows an explanation about cookies that is incorrect. The cookies with the alleged names /fileadmin/razor/Dist and /typo3temp/ do not exist according to the review of the website Y. Their purposes are not mentioned, but described as Anstehend. This suggests that the tool used, Cookiebot, apparently does not know their purposes. Another cookie is named with the name lang[x2]. Two cookies are meant, of which only one was named by Cookiebot, the second (according to the Cookiebot protocol it is ads.linkedin.com) was overlooked.
  • Missing information on cookies: As mentioned above, there are no descriptions of the purpose of cookies.
  • Missing mention of cookies: Not mentioned at all, but according to a test on the website Y, they are clearly used, are the cookies with the names be_typo_user and be_lastLoginProvider.
  • Loading tools without consent: Already when loading the website Y and without clicking on anything, the services Google Maps, Facebook Connect, Calendly, Google Fonts, Podigee Podcast Player and Google Tag Manager are loaded. Facebook Connect sets a cookie named fr with a lifespan of 3 months for the domain facebook.com. Calendly sets a cookie named \calendly_session with a lifespan of 21 weeks for the domain calendly.com.
  • Unclear display: If the user wants to view all the information in the consent window, they have to scroll through a tiny display area that remains tiny even at large screen resolutions. This seems unreasonable and is therefore probably unlawful.
  • Missing privacy notices: On website Y, there are no statements in the data protection declaration regarding the tools Cookiebot, Calendly as well as Podigy
  • False data protection notices: On website Y, it is stated that the consentmanager tool is used for consent requests. This is incorrect. Instead, Cookiebot is used.
  • No option to withdraw consent: No option to withdraw consent could be found on Website Y.
  • Privacy policy not directly accessible: When calling up the privacy policy of website Y, the consent pop-up appears if it has not been confirmed beforehand. It is therefore not possible to read the privacy policy directly.
  • Incorrect classification of tools/cookies: The cookies belonging to Google Analytics are mistakenly attributed to Google Tag Manager. This false attribution likely arises because the Google Tag Manager serves to dynamically reload Google Analytics. The Tag Manager is therefore only the initiator of the loading process for the tool, which in reality sets and reads the cookies _ga, _gat and _gid.
  • Insufficient naming of providers: No company name is given for the providers of the tools (which are only named here in the form of cookies). This applies to all 29 cookies mentioned on website Y.
  • Missing mention of services used: The services used are not mentioned in the consent request on website Y (and if so, only partially and only indirectly in the alleged purpose of a cookie, see Figure 68). Instead, the Cookiebot tool focuses on cookies on website Y.
  • Incorrect provider specification: For a cookie, DrawBridge is specified as the provider. Drawbridge was acquired by LinkedIn in 2019 but is still listed as a provider in the consent request on website Z. The DrawBridge website redirects to the LinkedIn website (or at least did so until mid-2023). If you click on the link to Drawbridge, which can be seen in the image, you do not end up on the privacy policy page, as intended, but rather on the webpage https://business.linkedin.com/de-de/marketing-solutions-b, which contains only advertising information and no privacy notices.
  • Unclear description of cookies: The descriptions of cookies are often not understandable for the average citizen. Example for the cookie bcookie from provider LinkedIn: “Used by social networking service LinkedIn for tracking usage of embedded services.” Nowhere is mentioned what exactly LinkedIn means or who the provider is._.
  • Lack of information on data transfer to third countries: There is no information on this in the consent query, although services are used that transfer data to third countries.

Website Z

The consent window of the website looks like this:

Consent window of the website Z (image was automatically translated).
Findings
  • Loading tools and cookies without consent: Already when loading the webpage Z and without clicking anything, the services Google Ads, LinkedIn Analytics, YouTube Video, etracker as well as files from cloudflare.com are loaded. The service etracker sets two cookies without consent with a lifespan of 2 years, one of them on the domain etracker.com. The service LinkedIn Analytics sets six cookies without consent with a lifespan between one day and 2 years, all on the domain linkedin.com.
  • Deferring the reject option: The reject button is visually significantly deferred compared to the accept button. This appears to be illegal.
  • Difficultly findable revocation possibility: In the footer of website Z there is a menu point named Widerruf. This however does not lead to the revocation possibility for granted cookie settings. Rather, the call of the revocation possibility in the data protection declaration is hidden in form of a text link, which stands mitten in the running text.
  • Revocation is not fully executed: If one reloads the website manually, the cookie et_coid is set again, although consent is requested for this. In a test, revocation (except for the aforementioned point) was executed. In another test, revocation was not executed after revocation had been made and all cookies had been allowed.
  • Unclear display: If the user wants to view all the information in the consent window, they have to scroll through a tiny display area that remains tiny even at large screen resolutions. This seems unreasonable and is therefore probably unlawful.
  • Insufficient provider information: For all 16 cookies mentioned on website Z, the provider was not named correctly. A company name was missing each time.
  • Unclear description of cookies: The descriptions of cookies are often not understandable for the average citizen. Example: "Contains Base64-encoded visitor history data (is customer, newsletter recipient, Visitor ID, displayed Smart Messages) for personalization (only with cookie activation)." _ In this specific example, the explanation also contains a note that it only applies (or is used for personalization?) if there is a _cookie activation given. What cookie activation means and why this conditional statement exists is unclear.
  • Incorrect provider specification: For a cookie, DrawBridge is specified as the provider (cf. website X).
  • Missing privacy notices: For Drawbridge, Google Tag Manager and Calendly, the mandatory notices are missing from the website's data protection policy.
  • Incorrect naming of cookies: A cookie is named as et_coid[x2]. Two cookies are meant, only one was named by Cookiebot, the second (according to Cookiebot's protocol on the website Z) is being concealed (etracker.de).
  • Privacy policy not directly accessible: When calling up the privacy policy of website Z, the consent pop-up appears if it has not been confirmed beforehand. It is therefore not possible to read the privacy policy directly.
  • Lack of information on data transfer to third countries: There is no information on this in the consent query, although services are used that transfer data to third countries.

CCM19

Found websites using CCM19:

  • ccm19.de
  • crifbuergel.de
  • hertie.de
  • and one other (which may be mentioned below)

Some of these websites were tested and evaluated below.

Website L

The consent window of the website looks like this:

Consent window of the website L (image was automatically translated).
Findings
  • Reverting the reject option: The reject button is visually significantly pushed back compared to the accept button. This appears unlawful. What the difference between Reject and Save is, is not apparent and is therefore misleading.
  • Missing specification of categories: The website L categorizes used tools and cookies into Techn. necessary / Essential, Analysis as well as Personalization. A description of these categories is completely missing in the consent request.
  • Incorrect statement regarding services: For Matomo, it is explained, among other things: "Collection of metrics for web analysis, data are fully anonymized. No traceable data is stored, IP address is truncated to the last 3 digits." The IP address is probably not truncated to the last 3 digits, but rather truncated so that only the last 3 digits are removed. Otherwise, there would be only 256 possible values (then one could just leave out the collection). Furthermore, it can be doubted whether data is fully anonymized when collected with Matomo. A test has shown that URL parameters on website L are also tracked by Matomo. In URL parameters, personal data may be present. Example: https://www.anonyme-webseite-m.de/aus-versehen-eingefuegte-information_
  • Loading tools without consent: Without consent loaded are Google Fonts. After Brexit and without a adequacy decision, also OpenStreetMap would be added. OpenStreetMap is offered by a company in the United Kingdom (UK).
  • Missing privacy notices: The service Google Fonts is completely missing a data protection policy.
  • Inconsistent privacy notices: Although consent is requested for the Matomo service, the data protection statement explains this as follows:"Legal basis: Legitimate interest, Art. 6(1)(f) GDPR“.
  • Missing link to the privacy policy: The link to the privacy policy is missing on at least one page of website L.
  • There are fewer findings for the website than for other websites. The main reason is that the website only uses a few services.

Website M

The consent window of the website looks like this:

Consent window of the website M (image was automatically translated).
Findings
  • No voluntary decision possible: As can be seen in the illustration, no direct refusal is possible. This seems clearly illegal to me.
  • Missing information on the revocation option: As the illustration shows, there is no visible indication of a revocation option. The revocation information is only available after scrolling the thin bar on the right-hand side of the window. As the image also shows, the display on smartphones is suboptimal.
  • Inadequate provider naming: For the Consent Tool used, website M states "XYZ AG" as the publisher (the real company name was replaced here by XYZ to make the website operator unrecognizable). The address of the company is not mentioned.
  • Inadequate cookie information: For some cookies, a lifetime in English is specified. Examples: 30 minutes, Session. For a cookie named sid , the lifetime is given with the number 1 (without unit) but its purpose is completely missing. For some cookies, a seemingly generic naming occurs. Example: ev_sync_* Since different cookies must have different purposes (otherwise one would only need one cookie and not more), accurate descriptions are missing for the generically named cookies. Instead, as a purpose of this generic designation, it is explained: “A third-party cookie specifically for ad exchanges that synchronizes the Surfer ID in Advertising Cloud with the partner ad exchange. The cookie is created for new surfers and sends a synchronization request when it expires.” The deeper meaning of this explanation will be unclear to most users._.
  • Loaded tools and cookies without consent: Without consent loaded are Google Tag Manager, Bing Ads, DoubleClick Ad Exchange as well as YouTube Video
  • Missing cookie declaration: Some of the cookies used are not mentioned on website M at all, such as several First-Party Cookies with a lifespan ranging from several weeks to years. Also, the cookie _uetvid is not explained, which probably comes from Microsoft Bing Ads (since the cookie _uetsid is explained, whose name is almost identical to _uetvid).
  • Inadequate classification of services/cookies: The website M lists three categories: Technically necessary, Analysis as well as Advertising / Ads. There is no description for any of the categories. Google Analytics is assigned to the category Advertising / Ads. Some would want to assign the tool to the category Analysis. On the other hand, Microsoft Bing Ads is assigned to the category Analysis, which actually belongs better to the category Advertising / Ads by name.
  • Inadequate data protection information about used tools: In the consent query, the link to the privacy policy of the tool Microsoft Bing Ads is given. The link is https://about.ads.microsoft.com/en-us/resources/policies/remarketing-in-paid-search-policies and refers to an English-language page that is obviously unsuitable for the German user.
  • Insufficient revocation option: It is not possible to revoke all consents given with a single click. Instead, all categories must be clicked one after the other and then the Save button. This requires a total of three clicks after the consent window has been opened.
  • Inadequate description of tools used: Regarding Microsoft Bing Ads, the purpose is explained as follows: “This is a cookie used by Microsoft Bing Ads and it's a tracking cookie. It allows contact with a user who has previously visited the website.” Apparently, a service is being confused with a cookie. What this explanation is supposed to mean will probably become clear to most users.
  • Revocation is not executed: The revocation does not remove any of the cookies requiring consent from the user's end device, not even after manually reloading the website. In addition, the website is not reloaded so that tools that have already been loaded can continue to collect data.
  • Privacy policy not directly accessible: When calling up the privacy policy of website M, the consent pop-up appears unless it has been confirmed beforehand. It is therefore not possible to read the privacy policy directly.
  • Missing data protection notices: For Google Tag Manager and etracker, there is no mention at all in the website's data protection policy M. For some services, the naming is inadequate, for example for Google Analytics: "This website uses Google (Universal) Analytics, a web analysis service of Google LLC. This serves to preserve our overriding legitimate interests in an optimized presentation of our offer according to Art. 6 Para. 1 S. 1 lit. f GDPR. Google (Universal) Analytics uses methods that enable the analysis of your use of the website, such as cookies." Here, the address of Google LLC is missing. Furthermore, the legitimate interest is cited as a legal basis for using the tool, which contradicts the fact that consent is requested for the tool.
  • Inadequate statement for data transmission in third countries: A usable statement is missing in the consent query for the Facebook Pixel. Quote: "Location of processing: Facebook does not provide information on the location of data processing. Probably Europe Ireland." The statement is mandatory.

Website N

The consent window of the website looks like this:

Consent window of the website N (image was automatically translated).
Findings
  • Lack of information on the right of withdrawal: As the image shows, there is no reference to the right of withdrawal. There is also no such information in the text, which is only visible after scrolling.
  • Insufficient presentation of information: As the image shows, explanations on the consent request are only accessible after scrolling. However, the scroll bar on the right-hand side of the screen is so poorly visible that it can be considered unavailable.
  • Loading tools and cookies without consent: Without consent loaded: YouTube Video, etracker, DoubleClick Remarketing, Twitter Widget, Google Fonts, Google reCAPTCHA, LinkedIn Widget as well as an IFRAME from a third domain. Without consent, cookies are set by the domains youtube.com and doubleclick.net, which have a lifespan that (mostly far) exceeds a session.
  • Illegal deferral of the reject option: The reject button is visually slightly deferred compared to the accept button. This (still) appears to be illegal.
  • Missing link to the privacy policy: The link to the privacy policy is missing on at least one page of website N.
  • Privacy policy not directly accessible: When calling up the privacy policy of website N, the consent pop-up appears if it has not been confirmed beforehand. It is therefore not possible to read the privacy policy directly.
  • Missing privacy notices: For Google Fonts, DoubleClick Remarketing and Google reCAPTCHA there is no mention at all in the website's privacy policy of N.
  • Lack of revocation option: Even after a lengthy search, no option could be found on website N to revoke the previously given consent.
  • Insufficient provider naming: Website N states "Papoo Software & Media Gmbh – CCM19 Cookie Consent Manager" as the publisher of the consent tool used. An address is not given, but apparently a product name ("CCM19 Cookie Consent Manager") instead of a company name.
  • Missing mention of cookies: Some of the used cookies are not mentioned on the website N at all, for example several cookies set by YouTube video scripts.
  • Missing information on cookies: Some cookies are declared without stating, but with the pseudo-statement N.A. for all criteria (publisher, description etc.).
  • Inadequate cookie information: For a cookie, neither the lifespan nor the purpose is specified. For a cookie named ASP.NET_SessionId, the lifespan is given as 0 (without unit), but the purpose description for this cookie is completely missing. For some cookies, a seemingly generic naming convention is used. Example: _gat_gtag_UA_*. Since different cookies have to have different purposes (otherwise one would only need one cookie and not multiple) accurate descriptions are missing for the generically named cookies. Instead, a generic description is given as purpose: "“Is used to throttle request rate. If Google Analytics is provided via the Google Tag Manager, this cookie gets the name _dc_gtm.”._ This description is obviously completely unsuitable to explain the purpose of the cookie (or tool, which one knows when using CCM19 on website N not so precisely) to a normal citizen.
  • Inadequate classification of services/cookies: The website N lists three categories: Technically necessary, Analysis, Marketing as well as Advertisements / Ads. There is no description for any of the categories. It will be difficult for the average citizen to grasp the difference between Marketing and Advertisements / Ads. Google Analytics is assigned to the category Advertisements / Ads. Some would want to assign the tool to the category Analysis.
  • Missing information on data transfer to third countries: Information on this is missing for some tools in the consent query. This information is mandatory.
  • Missing imprint: On the consent window, there is a link named Impressum. When you click on this link, an empty popup appears with the title Impressum

Of course!

Websites using Klaro!:

  • www.dillinger.de
  • kiprotect.com
  • digitale-helden.de
  • and one other (which may be mentioned below)

Some of these websites were tested and evaluated below.

Klaro! is apparently mainly used on websites that already place great emphasis on data protection, using only a few tools. The spread of Klaro! is not particularly high either. Therefore, the following results are only shown for two websites. Apparently, an update to the core of Klaro! does not work or is not intended, because the manifestations of Klaro! consent windows on various websites looked significantly different and showed apparently newer manifestations better designs.

Website P

The consent window of the website looks like this:

Consent window of the website P (image was automatically translated).
Findings
  • Misleading statement on data collection: As the illustration shows, it pretends that only the website currently being visited collects data about the user ("… what information we collect about you") and not other third parties.
  • Lack of information on the right of withdrawal: As the illustration shows, there is no indication of any right of withdrawal.
  • Missing provider information: Provider identifiers including company details are missing for all services on the consent form.
  • Missing mention of services and cookies used: As the figure shows, all mentions of services and cookies used are missing. A detailed view is obviously not available.
  • Missing description of services used: As the figure shows, all descriptions of services used are missing.
  • Uncertain pre-activation of a tool: Before the consent query is confirmed, Analysis Services etracker are already active. This can be seen in the data protection declaration, where this service is marked as active with a slider. In the consent window itself, however, this setting cannot be changed.
  • Missing privacy notices: For the service DoubleClick there are no descriptions in the data protection declaration (no information is provided for Google Ads, a possible synonym for DoubleClick, either). For the service Eloqua the provider is insufficiently named as Oracle Marketing Cloud in the data protection declaration. Neither do any concrete cookie notices appear there, instead placeholders are found.
  • Loading tools without consent: Already when calling the website P and without clicking on anything, the tools Google Maps, YouTube Video, Eloqua and DoubleClick are loaded. For Google Maps and YouTube Video, (probably) consents are requested through the categories Maps and Video – exactly this cannot be said, since any descriptions of services are missing in the consent window. Google Maps is even fully functional and visible when loaded without consent, while embedded YouTube Videos are not visible but only loaded in the background as a YouTube Video Script. etracker is also loaded in this way. As a result, a cookie named _et_coid with a value suitable for user identification and a duration of two years, as well as the domain etracker.com, is set. This is also consent-based, at least no statement about an AVV o.a. is made.
  • Privacy policy not directly accessible: When calling up the privacy policy of website P, the consent pop-up appears unless it has been confirmed beforehand. It is therefore not possible to read the privacy policy directly.
  • Privacy policy not available: When the P website is first accessed, the consent window on standard smartphones hides all links, including those to the privacy policy. This means that it is very likely not available because after clicking away the consent window, two further clicks, i.e. a total of three, are required to access the privacy policy. A maximum of two clicks is permitted.
  • Deferring the reject option: The reject button is labeled "Reject" and visually slightly deferred compared to the accept button. This is probably illegal.
  • Suspicious hint at mandatory video: If one does not agree in "Videos" and calls a page with an embedded video, the hint Please activate Cookies to display the video. appears at the place where the video would appear. A hint about cookies is given here. The video uses no videos (youtube-nocookie.com). Nowhere on the website P are concrete statements made about used cookies. Apart from that, a video can be displayed or played without cookies in principle.
  • Faulty functionality in the consent window: In the consent window, a function is available to activate all consents simultaneously. This function is correctly initially deactivated because also the categories Analytics, Video and Maps are initially inactive. If only for example Analytics is activated, Activate all will automatically be activated as well. This is either legally wrong (if indeed all consent-relevant processes would be activated) or misleading and not conform to expectations.
  • Missing information on data transfer to third countries: Information on this is missing in the consent query, although services are used that transfer data to third countries. This information is mandatory.

Website Q

The consent window of the website looks like this:

Consent window of the website Q (image was automatically translated).
Findings
  • Lack of information on the right of withdrawal: As the illustration shows, there is no indication of any right of withdrawal.
  • No voluntary decision possible: As can be seen in the illustration, no direct refusal is possible. This appears to be illegal.
  • Unauthorized loading of tools and cookies without consent: Without consent loaded are Google Maps, Google Fonts, Google reCAPTCHA, Google AdWords Conversion Tracking, KlickTipp, a Paypal payment service as well as scripts from betterplace.org and app.acuityscheduling.com.
  • Missing privacy notices: For Google reCAPTCHA and Betterplace, the mandatory notices are missing from the website's data protection policy Q.
  • Privacy policy not directly accessible: When calling up the privacy policy from website Q, the consent window appears if it has not been confirmed beforehand. It is therefore not possible to read the privacy policy directly.
  • Missing provider specification: When clicking on Configure… in the consent window of Figure 49, a selection with mention of applications appears. In the initial view, the shown applications are not visible. For all services (here named Applications) the provider is missing.
  • Unclear statement regarding necessary data collection: In the consent window, there is talk of storage of settings for this application. Calling a website an application is probably not wrong, but likely not understandable for the average citizen.
  • No mention of cookies: There is no specific information on cookies, such as their name or duration of function, either in the consent window or in the privacy policy of website Q.
  • Privacy policy not fully available: When the Q website is first accessed, the consent window on common smartphones hides all links, including those to the privacy policy. This means that it may not be available.
  • Missing information on data transfer to third countries: Information on this is missing in the consent query, although services are used that transfer data to third countries. This information is mandatory.

OneTrust / Optanon / Cookie Law

Optanon was taken over by OneTrust, so both tools should be considered together. The product is apparently also referred to as Cookie Law, so this manifestation should also be considered together.

Websites that use _OneTrust:

  • euronics.de
  • springer.com/en
  • kia.com/de
  • and one other (which may be mentioned below)

Some of these websites were tested and evaluated below.

General findings

Onetrust is a consent tool that uses resources from an insecure third country.

OneTrust loads resources from the domain onetrust.com. This domain appears to be operated by an American company and delivers content from a server in the USA. According to the Privacy Statement of the domain onetrust.com, the provider is located both in the USA and in the United Kingdom (UK). If the location in the USA is correct, then OneTrust as a GDPR-compliant consent solution is entirely unsuitable on its own. Because before using OneTrust, consent for the consent tool itself would have to be obtained, which seems absurd. According to the data protection declaration of website W, the provider of OneTrust is located in the UK and therefore since 01.01.2021 no longer within the scope of application of the GDPR. As of December 21, 2020, there was still no adequacy decision for the UK, making it an uncertain third country (as of December 28, 2020, a transition period of four or six months from 2021 seems to apply, after which the UK without an adequacy decision would be considered an uncertain third country).

Since the website onetrust.com does not contain a proper imprint and no proper statement of the person responsible for data processing, the provider thereby disqualifies itself.

According to WHOIS-Information, the domain onetrust.com is registered with Namecheap Inc. (with a reference to the website namecheap.com). According to the website namecheap.com, Namecheap Inc. is an American company. In the WHOIS information, there is also listed as registrant a company in Panama, to conceal the identity of the actual registrant:

Registrant of the website onetrust.com according to https://who.is (image was automatically translated).

Another reason not to use OneTrust.

Website U

The consent window of the website looks like this:

Consent window of the website U (image was automatically translated).
Findings
  • Loading tools without consent: Already when loading the website U and without clicking on anything, the consent tool OneTrust is loaded (cf. above). A call is made to the address geolocation.onetrust.com, which performs a geolocation of the current user and returns location data as a result. Geolocation in the context of a consent query could only be justified if consent was requested from persons who, according to their IP address, are located within the GDPR legal area. This is however incorrect, because the Marketortprinzip applies, which means that a website must comply with the GDPR guidelines as soon as it targets a market subject to the GDPR. In addition, geolocation based on the IP address etc. is never reliable possible. Furthermore, a user can set up a proxy to conceal their location (legitimately). After geolocation has been performed, a cookie is stored for 30 days that contains the results of the geolocation. This information can be used to identify and track users (very reliably in conjunction with the IP address and/or Device Fingerprints).
  • No voluntary decision possible: As can be seen in the illustration, no direct refusal is possible. This appears to be illegal.
  • Inadequate description of tools: Numerous details in the consent form on website U are unclear, incomplete or in English. The following terms are unclear, suboptimal or incomprehensible: "Host": What does this term mean?; "Duration: 4 years": What does this mean?; "Type: 3rd party": What does this mean?; Description in English: Not understandable for a German reader without knowledge of English.
  • Incorrect classification of cookies: Cookies are not to be distinguished by technical criteria, but rather by professional, user-deciding criteria. Here, OneTrust fails: The cookie named OptanonConsent, which is set by OneTrust, is technically a First-Party Cookie. Professionally, it is obviously a Third-Party Cookie. Reasoning: The cookie is set and read from the OneTrust script, which is loaded from a third-party server.
  • Dubious description of cookie categories: A category for cookies apparently assigned by OneTrust is Performance Cookie. This term is generally not widely known, at least not in common usage. As a description thereof provides the consent query of the website U a long, quite incomprehensible text.
  • Missing provider specification: There is no provider specification for the services used. A service provider is referred to as Awin. The specification of which provider and company is likely hiding behind this abbreviation can be found in vain in the Consent Popup. Even the website's privacy policy U reveals nothing about this. As far as the author knows, Awin is an advertising platform. This has absolutely nothing to do with the assigned category Leistungs-Cookies.
  • Missing mention of cookie information: For many cookies, no description is provided in the consent query on Website U.
  • Missing mention of cookies: At least one cookie (Facebook-Pixel, name: __fbp) is set, but not mentioned in the cookie consent of the website U.
  • Missing data protection information: The privacy policy of Website U is missing numerous data protection texts for the services used. Apparently, the descriptions of all services were "forgotten" or supposedly outsourced to the cookie consent popup, which can be accessed via a link from the privacy policy. Unfortunately, numerous details are missing from this cookie consent pop-up, meaning that they are completely missing, even though they are required. The reason for this is apparently that a cookie-centric data protection approach has been chosen, which obviously causes problems.
  • Inadequate revocation option: Apart from the fact that the revocation option is only difficult to find, it contains structural flaws that are not acceptable for the user. A revocation of all granted consents with a click is not possible. Instead, all "cookie categories" must be clicked in sequence, so that then per category a manual deactivation can take place. For this 8 clicks are necessary. If one deactivates a category, however, the button "All cookies allowed" appears directly. Apparently more value was placed on obtaining consent than revoking or rejecting it.
  • Revocation is not executed immediately: After revoking all consents, all cookies set before the revocation are still present. The website is not reloaded. Therefore, it can be assumed that the already loaded services like Google Analytics are still active.
  • Revocation is not fully executed: When reloading the website manually, all cookies set before revocation are still present. This appears to be unlawful because the revocation was partially ignored. Only the services that were no longer consented to will no longer be reloaded. If one reloads the website U anew and grants consent again at some point, for example for Google Analytics, this service can fall back on existing cookies from a previous session. User tracking is thus still possible. Otherwise, the same user would officially (according to Google) be considered as two different users in these two sessions.
  • Missing information on data transfer to third countries: Information on this is missing in the consent query, although services are used that transfer data to third countries. This information is mandatory.
  • Privacy policy not directly accessible: When calling up the privacy policy of website U, the consent pop-up appears if it has not been confirmed beforehand. Reading the privacy policy directly on larger screens is only possible to a limited extent and not at all on smaller screens.

Website V

The consent window of the website looks like this:

Consent window of the website V
Findings
  • English-language texts: As the illustration shows, the notices are shown in English, although website V is otherwise presented in German.
  • Missing information on the revocation option: As the illustration shows, there is no information on the revocation option (the English version "You can manage your preferences…" is not considered to be available for a German reader).
  • No voluntary decision possible: As can be seen in the illustration, no direct refusal is possible. This appears to be illegal.
  • Loading tools without consent: Already when loading the website V and without clicking on anything, the consent tool OneTrust is loaded. Furthermore, so many tools are loaded without consent that only an excerpt can be mentioned here: Google Tag Manager, Facebook Connect, Google Analytics, Hotjar, Twitter Analytics, DoubleClick, Outbrain, Adscale, ShareThrough. In addition, some cookies are loaded without consent, including cookies from Google Analytics, Facebook Connect and Hotjar.
  • Missing provider information: For all tools and cookies used, the providers are not named on the consent query of Website V. Instead, they are named in the form of a list of cookie names.
  • Missing description of cookies: There is no information about the cookies (except for the name).
  • Inadmissible pre-assignment: Although website V was called up without clicking on anything and although the consent query is still visible on the screen, default settings for processes to be consented to have already been made in the consent window.
  • Lack of revocation option:
  • Instead of a revocation option, website V explains in the Cookie Policy: "The Privacy Preference Centre can be accessed either via the banner displayed when you first visit the site or after clearing deleting cookies. It allows you to view the groups of cookies we store (as outlined above in How We Use Cookies), and manage whether the cookies for those groups are active_
  • Missing privacy notices: For some services, such as WebTrekk, there are no indications in the website's data protection declaration V. Due to the multitude of tools used on the website, and the fact that the data protection declaration is only available in English, a more detailed examination was waived.
  • Missing mention of cookies: At least one cookie (Google Analytics, name: \gcl_au) is set, but not mentioned in the cookie consent of the website V.
  • Missing information on data transfer to third countries: Information on this is missing in the consent query, although services are used that transfer data to third countries. This information is mandatory.

Website W

The consent window of the website looks like this:

Consent window of the website W (image was automatically translated).
Findings
  • No voluntary decision possible: As can be seen in the illustration, no direct rejection is possible. The option to reject ("Change") is also visually reset. This appears to be illegal.
  • Questionable focus on cookies: As can be seen in the illustration, consent-requiring processes are referred to the cookie notices. This is wrong in itself, because data processing can also be consent-requiring without cookies. Furthermore, it is not visible in the illustration that with the text Mehr erfahren (More information) the privacy policy is linked, which is then again incorrectly called Datenschutz- und Cookie-Richtlinie (Data protection and cookie guidelines). In the privacy policy, there is at least a reference to „Cookies and similar technologies“, from which it can be inferred that focusing on cookies is even considered incomplete by the website operator.
  • Loading tools without consent: Already when loading the website W and without clicking on anything, the consent tool OneTrust is loaded. Furthermore, at least the following tools are loaded without consent: Google Maps, Facebook Connect, Google AdWords Conversion Tracking, YouTube Video. In addition, some cookies are loaded without consent, including those from Google AdWords Conversion Tracking and YouTube Video. For example, the privacy policy of website W indicates an American provider for YouTube Video.
  • Privacy policy not directly accessible: When calling up the privacy policy from website W, the consent window appears unless it has been confirmed beforehand. It is therefore not possible to read the privacy policy directly.
  • Inadequate provider specification: Too many cookies – possibly all, this could not be determined due to the large number of cookies in time – the provider is not sufficiently named. A provider name is not given. One might well consider the Host – specification as an incomplete provider name.
  • Unclear cookie statements: The cookie VISTOR_INFO1_LIVE is described with an English text. This is unacceptable for the German market. As Art , 3rd Party is specified, equally unclear. As Dauer, 7985.5 years are specified. Besides the here impermissible English language, the decimal point is not according to German norm.
  • Unclear description of cookies: For the NID cookie, a description is given without any relevance (excerpt): "This domain is owned by Google Inc. Although Google is primarily known as a search engine, the company provides a diverse range of products and services.". For the cookie ga, the purpose is stated: "This cookie serves to distinguish visitors.". For the cookie utma, the purpose is stated: "With this cookie we can determine whether someone has ever visited our website or not." Both cookies are assigned to Google Analytics in the privacy policy. Why two cookies should be necessary for recognizing a visitor remains unclear.
  • Missing privacy notices: At least for the service DoubleClick there are no indications at all in the website's data protection declaration and in the consent window.
  • Lack of revocation option: Even after a lengthy search, no revocation option could be found on website W. Instead, the data protection declarations for some services provide links to the provider pages, which can allegedly be used to object to data collection (per service and provider).
  • Missing information on data transfer to third countries: Information on this is missing in the consent query, although services are used that transfer data to third countries. This information is mandatory.

Conclusion

The really numerous shortcomings mentioned should speak for themselves. My review was only halfway intensive. A more detailed examination would certainly reveal even more problems, for example if the data protection declarations for the individual tools provided on the websites tested were analyzed in more detail.

All consent tools show considerable weaknesses in practical use, which in my view are shameful. Even most providers of consent tools do not manage to produce a halfway decent GDPR-compliant website with their own tool.

It is best not to use a standard consent tool, but rather only use tools that do not require consent or where it is clear which data is collected and how.

Larger companies should create their own consent solution. This can then be legally secure, in contrast to the unsuitable material that is sold thousands of times in my opinion.

The 100 euro bet

I'm going to be brave and offer 100 euros from my private assets to the first website operator who contacts me and uses one of the tested consent tools on their website and complies with all the regulations (not exactly, but only substantially!). However, the condition is that a sufficient number (more than three) of popular tools requiring consent must be used on the website. If there are exactly three, I will take a look at them and accept the bet if necessary. The website must have existed in its basic form for several months. Quickly creating a website for the bet is not permitted.

I bet there is no one who can provide a legally compliant consent solution for the type of websites just mentioned. This is not about a missing comma, but about major shortcomings. I have also announced my bet on social media and am waiting for brave people to bring any website, which doesn't even have to be their own, into play. Please contact me by email.

This bet runs until 30.06.2021

Proposed solutions

We have all been led astray by the free tools from Google and others. Great function, bad data protection, I would call it.

My suggestion for GDPR-compliant websites with less effort than trying to make the impossible possible (see Consent Tools practical test):

  • Inventory of all tools used
  • Remove all tools that are no longer required
  • Integrate fonts and JavaScript libraries as well as external images locally
  • Use alternatives for critical tools
  • If you're thinking about a consent query, it's better to think about it again after sleeping on it (see my checklist)

Key messages

Popular website cookie consent tools are ineffective and often illegal because they fail to meet the requirements of data protection laws like GDPR.

Popular consent tools used on websites often fail to comply with data protection laws, making it difficult for users to refuse data collection.

Most website consent tools are poorly designed and don't actually comply with data privacy regulations.

About

About the author on dr-dsgvo.de
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.

Google Analytics as an effective tool for cybercrime data theft