Is there such a thing as THE perfect recipe for a Cookie Banner? Definitely! The trick is to find all the ingredients. 👩🍳
Often, cookie banners are a prime example of incorrect compliance with the law – like going through a red light as a pedestrian 😉 Many website operators have placed either an illegal cookie notice or even no cookie notice at all on their website (whereby in some cases the latter is the lesser evil). A cookie notice banner is quickly installed using free cookie banner generators or supposedly good cookie banner plugins.
What could possibly go wrong? Unfortunately, quite a lot!
In most cases, these do not even begin to meet the requirements for compliance with data protection laws, policies and recommendations. Many deficiencies already appear in the cookie banner design. Quickly, warnings and high fines can flutter through your letterbox. Annoying!
Mistakes are usually not made of ill will. The legal requirements for website operators are much more complex. In addition, in the case of a cookie banner, the complex legal requirements have to be mapped in the no less complex IT behind websites etc. This is often only achieved by professionals such as advertising agencies. But even professionals often only succeed in doing this if they deal intensively with these issues or have an expert for this topic in house.
So that you, as a website operator, don’t have to dig deep into your pocket, we explain in this article what you need to pay attention to when setting up a privacy-compliant cookie notice banner.
Who would have thought it: The first mistake begins with the absence of a cookie banner. Sounds trivial, but it happens more often than you think. Is a cookie notice mandatory? Since the ruling in case C-673/17 of the ECJ, there is a so-called opt-in procedure. Such consent can be optimally obtained thanks to a cookie banner. A cookie banner is therefore generally necessary. Unless you waive all non-essential services in the legal sense – which is rarely possible in practice.
✅ So if you want to prevent your wallet from emptying, be sure to include a cookie notice on your website that is compliant with the GDPR and the ePrivacy Directive.
Mistake 2: Dark Patterns and Nudging
Practising dark patterns and nudging methods is never a good idea – and especially not in your cookie notice. These strategies are not only ethically questionable, but can also lead to your cookie banner magically attracting warning letters.
✅ It is therefore better to keep your hands off deceptive methods – such as only displaying the rejection of cookies etc. in a very small and inconspicuous way, in contrast to the “Accept all” button. You must give your visitors the freedom of choice. Users must always have the option of informed consent or rejection.
Mistake 3: Concealing legally relevant sub-pages
One man’s joy is another man’s sorrow: the fact that cookie banners prevent access to a website due to their bouncer character annoys many website visitors. Website operators, however, can use this to obtain users’ consent to the setting of cookies and the processing of personal data.
However, many operators are not aware that legally relevant web pages such as the imprint (depending on the country) and the privacy policy must also be accessible without cookie banners. After all, the website visitor must be able to inform himself in detail before giving consent as to whom exactly he is giving consent to and for what purpose.
✅ It is best to link both pages (and possibly other legally relevant pages) directly in the cookie banner. This way, your visitors have direct access to the respective subpages and you are legally on the safe side.
Mistake 4: No possibility to revoke consent
As a website operator, you are obliged to ensure that your visitors can revoke (or change) their consent at any time. However, this is often not the case. You must also inform your website visitors in the cookie banner that they have the right to change their decision at any time.
✅ Include appropriate options for changing consent on your website (e.g. in the footer or in the privacy policy). This way, your visitors can view their consent at any time and revoke it if necessary.
Unfortunately, far too often you will find a “We use cookies” sentence on websites in connection with an “OK” button. Many website owners assume that they have fulfilled the requirements for a cookie banner. However, this is not the case.
✅ In addition to displaying essential information (see mistake 6), a cookie banner must obtain the informed and active consent of a user. Simply informing the user that cookies are being used without the possibility to refuse or to make individual settings is not allowed.
Mistake 6: The lack of elementary information
What must a cookie banner look like? What does a cookie notice have to say? In order to save you a lot of thought and research work, we have already summarized important aspects on the topic of cookie banner text. Setting up a cookie banner correctly is not magic. However, we can absolutely understand you if you don’t have the leisure to fight your way through bland legal texts written in legalese. This is not only the case for you, but also for many providers of cookie banner generators and plugins – so caution is advised here too. Not every cookie banner (plugin) and generator attaches the greatest importance to legal security. You as the website operator are liable in the end and should therefore always make sure that all requirements have been met.
✅ Important information that should not be missing:
- Information on why cookies are set and personal data are processed
- Information about data processing in third countries outside the EU (e.g. USA) that are considered unsafe from a data protection perspective
- Information about services used (by third parties) including details of what data is collected for and what cookies are read and written.
- Designation of the persons responsible for the data processing carried out in each case (if this is consented to)
If your website sets cookies before your user has given active and informed consent, you are committing a data protection violation. (Here we go again 🙃) So make sure that all non-essential scripts and cookies are not executed or set until you have the consent of your visitors. Many opt-in cookie banner plugins for e.g. WordPress allow you to specify HTML and JavaScript, which will only be executed after consent. If you are not sure which cookies your website sets at all, it is best to read our article How to find all services (cookies) on my website. Admittedly: Tracking down the cookies and services used is not exactly easy, but you can do it!
✅ However, it is your responsibility to find all cookies and services on your website and block them correctly until the user consents to them being played. So you should make sure that this is respected. Real Cookie Banner for WordPress helps you to automatically find services used with a service scanner and block them before consent.
So that you don’t ask yourself what cookies actually are and what types of cookies exist, we will explain both topics to you in an easy-to-understand way in the two separate articles. Website operators often ask themselves which cookies require consent at all. In short, it is simply a misconception that consent is required to set every cookie.
✅ You (only) need consent for all non-essential cookies (cookies without which the basic technical functionality of your website is not given). These include advertising cookies and tracking cookies such as Google Analytics.
✅ By the way, not only cookies but also the processing of personal data require consent.
A “reject” button in the cookie is usually mandatory. In exceptional cases, it is permitted not to use a “reject” button. Example: By default, all unnecessary groups are selectable and not preselected. The user can therefore simply reject all cookies via a “Confirm selection only” button (or similar).
✅ Basically, you should install such a button visibly. It must be placed on the first level of your cookie banner in a way that is easy to understand and recognise.
Mistake 10: No age warning
According to Article 8 of the GDPR, consent to services that process personal data and/or set cookies can only be given from the age of 16 (different in some EU countries) or together with a parent or guardian. As a website operator, you are obliged to take appropriate protective measures so that visitors under this age limit only consent together with their legal guardian. How this is supposed to work in practice – 🥁 drum roll – is, of course, left open by the legislator.
✅ Practically, a note in the cookie banner should be useful, in which you instruct the children and young people that they may only consent with their legal guardians.
You have probably come across the subdivision of cookie groups into Essential, Technical and Marketing at least once. You may also know them under Functional, Other or similar formulations. Even if you have found all cookies, this is of no use if you classify non-essential cookies as essential cookies.
☝️ Remember: Essential cookies – also called technically necessary cookies – are cookies without which your website would not work. Example: the cookie for the login area.
All other cookies can be placed in a suitable other group. For these cookies, however, you almost always need consent!
✅ So question carefully whether a cookie is really essential. Most of the time, the honest answer is: no.
You must not only list the technical names of cookies, but describe them for all cookies:
- by whom they are set and for what purpose
- how long they remain on your visitor’s computer
- who the provider is that processes the data
- where the provider’s privacy policy can be found
If you use cookie groups, you must also describe what cookies are in that group. After all, if your visitor agrees to a whole group, they need to know what to expect in that group.
✅ Read the privacy policy of the services you use or contact their privacy department for all relevant information on data processing and cookies.
Mistake 13: Consents not properly documented
The visitor to your website could always doubt that they have consented to you setting cookies on their computer or mobile device. Thanks to the burden of proof (simply put, as a website operator you have to “prove” your innocence) according to Art. 15 GDPR, you have to prove that your website visitor has consented. Consequently, the consent must be kept in full for the next approx. 5 years, until the possible criminal offence due to the possible data protection breach becomes time-barred.
✅ Therefore, when choosing your cookie banner plugin or cookie banner generator, make sure that they fully document consent. Also, make regular backups of your website.
If your visitor revokes consent to one or more cookies, you as the website operator are responsible for ensuring that the corresponding scripts are no longer executed for this user from the time of revocation and that the cookies already set are removed from their computer again (if technically possible).
✅ For this purpose, many opt-in cookie banner plugins for WordPress offer to execute JavaScript. Some can also automatically delete declared cookies. You should definitely use this option!
If you use a cookie banner on your website, you always have to ask yourself two questions:
- From which server are the cookie banner script and the information in the cookie banner downloaded?
- On which server are the consents of your website visitors documented?
There are two types of cookie banners (plugins): Some of the solutions can be installed directly on your server, e.g. in your WordPress. Other solutions, also called cloud cookie banners, are delivered directly from the manufacturer’s server and consent is documented there. So you don’t have to worry about updates etc.. That is practical!
But: By no longer processing the data on your own server, you are setting yourself another legal trap! If a third party company (the cookie consent banner manufacturer) processes data on your behalf, you must ensure that the data is processed in accordance with applicable data protection law. To ensure this, there is a so-called commissioned data processing contract that you must conclude with the commissioned data processor. Many manufacturers already offer standard contracts – but sometimes you have to draw up such a contract yourself.
✅ Decide wisely which cookie banner you use! Do you need a data processing contract? With solutions like Real Cookie Banner, which installs directly in your WordPress, you can save yourself the extra effort!
Many website operators – perhaps even including you – are often simply not aware of the extent of legal requirements and the complexity of a cookie consent banner. But here, too, the following saying hits the nail on the head: ignorance is no excuse.
To avoid the temptation of committing all the mishaps (and more) listed in this article, our Real Cookie Banner WordPress Plugin incl. built-in Service Scanner feature puts an end to the headaches – leaving you more time for the important things in life 😉