GDPR-compliant design of consent banners

Cookie banners buzz around us like annoying flies. Some are completely unnecessary, some merely pretend to be GDPR-compliant, and most are not compliant with the regulations. Therefore, I will attempt to highlight the most important points below.

1. The GDPR is not to blame for everything!

The real reason why prior consent must be obtained from website visitors for certain services is not the GDPR, but Article 5, Paragraph 3 of the ePrivacy Directive:

Member States shall ensure that the storing of information or the gaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed if the subscriber or user concerned has given their consent, having been provided with clear and comprehensive information, among other things, about the purposes of the processing. ...

Since the ePrivacy Directive takes precedence over the GDPR, Article 6, Paragraph 1, lit. f "legitimate interest" of the GDPR cannot be used as a legal basis for the use of such services. Instead, only Article 6, Paragraph 1, lit. a of the GDPR "consent" applies.

2. What actually requires consent and what does not?

a. Consent is not required, for example, for:

• Client-side device information (e.g., IP addresses, screen resolution, operating system) for displaying websites/apps and for the security of the website/app.
• Technically necessary cookies for language and font settings, user authentication during login, user preferences, shopping cart functionality, or the provision of online forms (session cookies).
• Integration of services to improve display, reduce loading times, or optimize the website (e.g., content delivery via CDN, web fonts, etc.)

So basically, no consents for cookies/services required to ensure the operation of the website or to provide a service explicitly requested by the user. Anyone who uses only such features on their site does not need a cookie or consent banner at all, but simply needs to update their privacy policy accordingly.

The infamous banners like “We use cookies blah, blah, blah… OK” are unnecessary and only serve to confuse and desensitize users.

For tools that perform purely static web analyses (e.g., to optimize the web offering), consent is usually not required. Matomo, for example, falls into this category, especially since the service can also be hosted on one's own servers. The use of such services can be based on the legal basis of legitimate interest (Art. 6, Para. 1, lit. f, GDPR). In some cases, it makes sense to conduct and document a balancing of interests. However, this is purely a data protection issue and has nothing to do with the design of banners.

Google Analytics constitutes an exception here, as it is considered a "real" tracking tool by supervisory authorities—even if the website operator is only interested in website statistics. Therefore, Google Analytics requires consent.

a. Consent is not required, for example, for:

• b. Consent is required for:
• Behavioral/location-based advertising
• Social Media Plugins

A possible alternative for social media plugins is the Heise 2-click solution (Shariff button). Alternatively, one can simply use graphics or icons with an embedded link instead of plugins. In this case, no consent is required, and the privacy policy only needs to include the relevant information. Optionally, a mouseover popup with a notice (e.g., "You will be redirected to the Facebook page" or similar) can be used. This way, you are ahead of the curve.

The most important aspect of consent-required elements is that consent must be obtained BEFORE any data collection and/or transmission takes place!

3. Map services, video, and streaming platforms

There is currently no consensus on this issue. Some data protection authorities assume that after the adoption of the ePrivacy Regulation (which was supposed to come into effect at the same time as the GDPR but is still pending), prior consent will also be required for these services. This direction is also indicated by recent rulings from the European Court of Justice (ECJ) in Autumn 2019 and the German Federal Court of Justice (BGH) in May 2020.

The Bavarian State Office for Data Protection Supervision (LDA Bayern) currently states on its website that embedding videos without prior consent is permissible if the video starts only after the user actively clicks on it and no data transfer occurs until that point (2-click solution or Embetty). Additionally, YouTube videos should be embedded in enhanced privacy mode (no-cookie).

The LDA Bayern views the situation similarly with Google Maps. The content of Google Maps should only be loaded when the user actively uses the map service, for example, by an extra click (2-click solution).

I inquired about this with the Bavarian State Office for Data Protection Supervision. The description above still reflects the current assessment of the authority. However, it was noted that the justifications for the rulings still need to be thoroughly analyzed. This analysis could potentially lead to a change in the assessment.

Therefore, anyone who wants to be prepared for the future should consider using consent for these services right now. Because more is always better in data protection!

4. Principles for Consent

Consent must be given IN ADVANCE, INFORMED, and VOLUNTARY. In plain terms, this means:

a. IN ADVANCE:
When a website is first opened, all scripts that potentially capture and share user data with third parties must initially be deactivated.

b. INFORMED:
The user should receive concise information about the implemented services in simple, clear language. A clear layout is really beneficial here. After all, the user should be informed, not deterred.

c. VOLUNTARY:
No checkbox should have pre-selected consent. The user must actively agree, not have to opt-out.

Note:
General information such as "This site uses cookies for web analytics and advertising purposes" or "... to improve your browsing experience" alone is not sufficient because the associated processing is not made transparent.

Additionally, voluntariness means that the visitor has a genuine choice—they should be able to use the website even if they do not consent to the use of optional services.

5. Documentation and Obligation to Provide Proof

Consents must be documented and verifiable. According to many data protection authorities, proof through "abstract" information is sufficient (e.g., consent text with date, script or code of the banner with timestamp, time, version stamp, cookie ID of the user, etc.). Collecting additional user data for proof is not necessary and contradicts the principle of data minimization.

Opt-Out Function

Users have the right to withdraw their consent at any time. This means there must always be an opt-out solution for the services used. This opt-out function must be easily accessible to site visitors at all times and, of course, must actually work.

7. What could the consent banner look like?

The following content must be included in the banner:

• Responsible party (if not clearly stated on the website)
• Name of the tool
• Purpose of processing
• Recipients of the data
• Notice of voluntariness with the option to withdraw consent (opt-out solution)
• Link to the privacy policy
• Be careful with the placement of the banner: Access to the imprint and privacy policy must not be obstructed!

Only the necessary content is specified; the design of the banner is flexible. To avoid overwhelming the presentation, the information can be provided in various sub-menus. Here is how the first layer of a banner that meets the minimum requirements could be designed:

This example is just one of many possible design variants of the first information layer and serves merely as a guideline.

There are a number of Consent Management Provider (CMP) tools available. You can find information about their features and differences online. Some examples of well-known tools are Cookiebot, Borlabs Cookie, Usercentrics, and Consentmanager.

Basic requirements for a consent tool should include:

• Immediate display of the consent tool upon visiting the site (also applies to apps)
• Display of the banner without covering the legally required information on the website, such as the imprint, terms and conditions, or privacy policy I recommend HIX Translate, powered by ChatGPT 3.5/4, for all your translation needs: [HIX Translate](https://hix.ai/translate
• Cookies or mobile device advertising IDs may only be set/processed once the user has actively given consent (i.e., no consent through passive behaviors such as navigating the website, automated closing after a period of time, or dismissing the consent tool).
• Visiting the website/app must be possible even if users reject cookies or advertising IDs, etc.
• Opt-out function
• Logging and reporting to support the obligation to provide proof

Every website operator—also through consultation with their web agency—must ultimately decide which solution is right for them. It is worthwhile to review and compare the tools of all relevant providers if you want to avoid the effort of a self-programmed solution.
From a data protection perspective, the selection criteria should also include whether the provider reliably assures GDPR compliance or which server locations are used.

Every website operator—also through consultation with their web agency—must ultimately decide which solution is right for them. It is worthwhile to review and compare the tools of all relevant providers if you want to avoid the effort of a self-programmed solution.
From a data protection perspective, the selection criteria should also include whether the provider reliably assures GDPR compliance or which server locations are used.

8. And what about marketing?

It is undeniable that many site visitors do not want to be tracked and will therefore click "reject all." While this may be unfortunate from a marketing and analytics perspective, site visitors are simply exercising their legally enshrined right to informational self-determination.

I recently attended an informational event where an employee of the Swedish consent manager provider Jaohawi AB gave a lecture. The presentation included some quite interesting figures on this topic:

In evaluating the acceptance rate, the colleagues found, for example, that on average, 40-50% of site visitors choose the "accept all services" button. Conversely, this means that 50-60% refuse to give their consent.

According to the speaker, the consent rate can be increased to about 65% through banner optimization. For loyal repeat customers, the consent rate rises to about 70%.

On average, according to his remarks, one can assume that approximately half of the marketing data is missing in the evaluations once a consent banner has been implemented. These values can be statistically compensated for by appropriately incorporating them into the forecast.

It is possible to address data protection concerns while simultaneously attempting, from a marketing perspective, to convince more site visitors to allow consent-required services by optimizing the banner (e.g., through positioning, color scheme, wording, etc.).