On May 5th, 2020 the European Data Protection Board (EDPB) updated its guidelines on consent for websites. This can already be viewed here in English. In the guideline, the EDSA again points out that access to a website must not depend on whether a visitor accepts cookies or not. Even the simple continued use or the simple click on “OK” in the cookie banner does not constitute an effective consent within the meaning of the GDPR. This update emphasizes the judgment of the ECJ of October 1st, 2019.
Cookies are small text files that are stored on the visitor’s computer when a website is called up. Due to various ID numbers that are contained in cookies, website visitors can be identified when the website is accessed again. Cookies may therefore contain personal data and must therefore be taken into account in accordance with the GDPR.
Many websites still contain a cookie banner, also known as a cookie wall, which merely offers a simple “OK” button or simply indicates the use of cookies.
“If you use this website, you agree to the activation of cookies”
“This website uses cookies. [OK button] ”
Cookie banners with such or similar texts do not represent effective consent within the meaning of the GDPR. The EDSA also makes it clear that there is no clearly confirmed action here. Such “cookie walls” contradict the aspect of voluntariness and thus violate the General Data Protection Regulation. Possible selection fields for the use of technically unnecessary cookies must be explicitly set by the website visitor and must not be active by default.
Insufficient cookie banners on websites should not be underestimated in terms of data protection. This shows an existing judgment in which the Spanish supervisory authority imposed a fine of € 30,000 because a website operator had not implemented his cookie consent in accordance with data protection regulations.
“The Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies. “Source: https://www.enforcementtracker.com/
This judgment is an incident from Spain. However, it cannot be ruled out that German companies will not have to expect the same or even higher fines.
The updated guideline of the EDSA and the quote from the German Federal Commissioner for Data Protection and Freedom of Information Professor Ulrich Kelber make this clear:
“There are still websites that, due to their structure, impose tracking on users. The updated guidelines make it clear again that consent cannot be enforced. […] I would like those responsible to draw the right conclusions from this and finally offer data protection-friendly alternatives. ”
Au Do you want to avoid the risk of a GDPR fine in your company? We are happy to support you in checking your website for GDPR compliance. In addition to the correct use of cookies, we also check other data protection and technical aspects of the corresponding cookie consent. Please contact us.
Unser Team – Ihr Vorteil | Hier stellen wir uns vor.
Unser Team besteht aus erfahrenen Juristen, Webspezialisten, IT-Experten, zertifizierten Datenschutz- und Informationssicherheitsbeauftragten. Mit unserer Erfahrung, Expertise und erprobten Verfahren, helfen wir Unternehmen, praxisnahe Lösungen im Bereich Datenschutz und Informationssicherheit zu finden. So helfen wir beispielsweise bei der Umsetzung der DSGVO oder der Einführung von Informationssicherheitsmanagementsystemen (ISMS).