Many tools may only be used after consent has been given by the user. The following overview shows which of the better-known tools require consent.
The question always arises whether a certain tool, such as Google Maps, can simply be used on a website.
There are essentially three legal bases that can be used to decide whether consent must be obtained:
- Is personal data processed without a legitimate interest?
- Is personal data transferred to insecure third countries such as the USA?
- Are cookies that are not necessary used by the service or is the service not functionally necessary?
The processing mentioned under 1. is in most cases to be equated with a data transfer. A legitimate interest cannot be assumed in particular if the data transfer was avoidable. A data transfer is clearly avoidable, for example, when retrieving external fonts.
Since an IP address is already a personal data point, every access to a file (image, script, video, font etc.) from an external address is a relevant event in terms of data protection law. ([1])
Uncertain Third Countries in play can even with a WHOIS inquiry not be reliably answered. But since the person responsible for a website must prove that they do not communicate with uncertain third countries, one should assume the worst case.
As soon as non-functional Cookies (or their values) could be transmitted, the ePrivacy Directive applies. It requires consent, regardless of whether personal data is stored in the cookie or not. The ePrivacy Directive also applies to Germany, as the Federal Court of Justice has established. That the nature of the data is irrelevant for the requirement of consent was established by the ECJ in its judgment on Planet49.
The overview shows which tools require consent for legally compliant use and where this can be derived from. For some tools, there are special articles that provide even more information. These tools are provided with a link in the table.
| Tool | Consent necessary? |
|---|---|
| Google Analytics | Yes, see Configurations of Google Analytics (ePrivacy and Art. 5 and 6 GDPR) |
| Google Maps | Yes, because cookies are involved (ePrivacy) |
| Google Schriften | Yes, because data transfer is avoidable and because data is potentially distributed worldwide (Art. 5 and 6 GDPR and others) |
| Google reCAPTCHA | Yes, because cookies are involved (ePrivacy) |
| Fast Fonts (Fonts.com) | Yes, because a tracking pixel must be integrated and because the provider is based in the USA (Art. 6 and 44 et seq. GDPR) |
| Google Tag Manager | Yes, because cookies are involved (even if many people don't want to believe it. My contribution to Tag Manager proves it) and because data transfer before consent is avoidable (ePrivacy and Art. 5 and 6 GDPR) |
| External images | Yes, because the data transfer is easily avoidable (Art. 5 GDPR) |
| SoundCloud Audio Player | Yes, because cookies are involved (ePrivacy) |
| YouTube Video | Yes, because either cookies are involved or extensive tracking without cookies (ePrivacy and Art. 6 GDPR) |
| Vimeo Videos | Yes, because avoidable data transfers take place and because the provider is based in the USA (Art. 6 and 44 et seq. GDPR) |
| OneTrust | Yes, because the provider of this consent tool is based in the US (Art. 44ff. GDPR). |
| Cloudflare Dateien | Yes, because the operator of this content delivery network does not take data protection seriously and because the data transfer is avoidable or because there are data protection-friendly data centers (Art. 6 and 44ff. GDPR) |
| Font Awesome | Yes, because an avoidable data transfer takes place and because the provider is based in the USA (Art. 5 and 6 as well as 44ff. GDPR) |
| Facebook Pixel | Yes, because … everything speaks against it from a data protection perspective. The same applies to Facebook plugins, Twitter plugins. Pinterest plugins etc. Specifically: For tracking, the consent requirement (Art. 5 and 6 GDPR) applies. If cookies are used, the ePrivacy Directive continues to apply. |
Whoever thinks about a consent solution should read my comprehensive investigation on Consent Tools. According to this, they are all unusable in practice because they leave behind illegal websites. I have called this whole thing Cookiegeddon because the result is so embarrassing.
Anyone who still needs to use a consent tool will get a lot of work. My checklist for consent requests reveals why.
The following procedure is better:
- Remove unnecessary tools. That's how simple life can sometimes be (those who get angry now should seriously concern themselves with the usefulness of some tools, for example Google Maps or Google Analytics)
- Use alternatives, see also my articles on the tools in the table (example: Google fonts can be integrated locally, videos can be replaced by a local copy or a preview image with an external link)
Among all subscribers of my newsletters, I occasionally give away free website checks. If you would like a first assessment, write me briefly. I'll give you a brief, helpful feedback on your website.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.