Tools commonly known as “cookie banners” are, if they comply with the legal requirements of the EU, actually Consent Management Platforms (CMPs). In practical terms, they manage not only consent for cookies, but consent for additional data processing and its purposes. Cookies and these additional data processing are usually so closely linked that one does not exist without the other. In this article, we explain the legal background in a simplified form.
What rights are applicable?
Real Cookie Banner offers you a solution to comply with the following important legislation in the EU. Our solution is legally fully designed for the EU and its countries. However, other regulations such as the CCPA are often less strict on the subject of cookies, which means that Real Cookie Banner can be a suitable solution here as well.
- ePrivacy Directive: According to the ePrivacy Directive, you need the consent of your visitors to set non-essential cookies. In simple terms, non-essential cookies are all cookies without which your website would still function in some way. It doesn’t have to be pretty or comfortable (e.g. you could avoid contact forms with cookies and write out your email address as text instead). You must point out essential cookies (e.g. in the privacy policy), but you do not need consent for this. (see in Directive 2009/136/EG Rectial 66)
- Art. 6 GDPR: To process personal data (e.g. in your WordPress or by sharing it with YouTube via an embedded video) you need a legal justification. In many cases, only consent is an option. In the European Union the IP address, which must always be transmitted to load content on the Internet, qualifies as personal data (see ECJ ruling dated 19 October 2016, Case C‑582/14). In practical terms, this means that you need the informed consent of your visitors before, for example, loading a YouTube video on your website and therefore passing on data of your visitors.
- Art. 49 (1) (a) GDPR: Through the Judgement “Schrems II” of July 16, 2020 (Case C-311/18) the ECJ has declared the Commission’s Implementing Decision on the adequacy of the EU-US Privacy Shield invalid. This effectively means that the USA is considered an insecure third country under data protection law. Therefore, to protect individuals covered by the GDPR, their personal data generally may not be transferred to or processed in the USA. However, consent for an exception may be obtained in some circumstances.
What does this legislation mean in practice?
Applied in practice, for example, embedding a YouTube video has the following legal consequences:
- Setting and reading cookies: When and after the YouTube video (more specifically, the iframe in which the YouTube video is located) has been loaded, the scripts of YouTube and Google can set cookies. They can also read cookies that were set, for example, when the user previously logged in to youtube.com. This is especially in the interest of such platforms, if the user is logged into his account because so the video can for example add it to the history of videos watched by the user and use ultimately this information for commercial purposes. For the setting or reading of non-essential cookies, you as the website operator must obtain consent if you are responsible for the video being loaded in the first place (without the prior knowledge of your visitor).
- Processing of personal data: When loading the YouTube video, the IP address of your visitor must necessarily be transmitted to YouTube or Google, so that the video player and later, if necessary, the video can be loaded. Even if Google does not store the IP address and evaluates it for marketing purposes, the IP address is usually processed in the web server, the logs, etc. of the Google servers. Whether there is a justification for processing this personal data other than consent depends on the individual case. However, in our legal opinion, consent is the only possible justification in the vast majority of cases.
- US data processing: The prohibition to process data in the USA is very impractical, as many services on the Internet come from the USA or have their servers located there. However, according to Art. 49 (1) (a) GDPR, consent can be obtained from website visitors for one-time and multiple processing of data in the USA. Consent to regular processing of data in the USA cannot be obtained in this way. Thus, at least some of the practical services from the USA can still be used if the website visitor consents to this.
We hope that this (brief) explanation of the most important basics has shown that there is more to a cookie banner than just finding technical cookies. To be privacy-compliant, additional consents must be obtained beyond cookies. In addition, legal considerations must be made, which can often be made by a human being.
How do I find everything on my website for which I need consent?
You now know, in theory, what you should obtain consents for. We have also explained how these rights can look in practice. For your website, however, you should now be able to apply the legislation.
We have explained in the separate article How do I find all services (cookies) on my website? how exactly you can proceed. We explain in detail how to find all services on your website and how to add them to Real Cookie Banner.