Tools commonly known as “cookie banners” are, if they comply with the legal requirements of the EU, actually Consent Management Platforms (CMPs). In practical terms, they manage not only consent for cookies, but consent for additional data processing and its purposes. Cookies and these additional data processing are usually so closely linked that one does not exist without the other. In this article, we explain the legal background in a simplified form.
What rights are applicable?
Real Cookie Banner offers you a solution to comply with the following important legislation in the EU. Our solution is legally fully designed for the EU and its countries. However, other regulations such as the CCPA are often less strict on the subject of cookies, which means that Real Cookie Banner can be a suitable solution here as well.
- ePrivacy Directive: According to the ePrivacy Directive, you need the consent of your visitors to set non-essential cookies. In simple terms, non-essential cookies are all cookies without which your website would still function in some way. It doesn’t have to be pretty or comfortable (e.g. you could avoid contact forms with cookies and write out your email address as text instead). You must point out essential cookies (e.g. in the privacy policy), but you do not need consent for this. (see in Directive 2009/136/EC Recital 66)
- Art. 6 GDPR: To process personal data (e.g. in your WordPress or by sharing it with YouTube via an embedded video) you need a legal justification. In many cases, only consent is an option. In the European Union the IP address, which must always be transmitted to load content on the Internet, qualifies as personal data (see ECJ ruling dated 19 October 2016, Case C‑582/14). In practical terms, this means that you need the informed consent of your visitors before, for example, loading a YouTube video on your website and therefore passing on data of your visitors.
- Art. 49 (1) (a) GDPR: In order to protect individuals covered by the GDPR, their personal data may generally not be transferred to or processed in insecure third countries. However, consent for an exception may be obtained under certain circumstances. The EU’s new adequacy decision has now significantly simplified data transfers to the USA. This means that the USA is once again considered a safe third country and therefore consent pursuant to Art. 49 (1) lit. a GDPR is no longer required.
What does this legislation mean in practice?
Applied in practice, for example, embedding a YouTube video has the following legal consequences:
- Setting and reading cookies: When and after the YouTube video (more specifically, the iframe in which the YouTube video is located) has been loaded, the scripts of YouTube and Google can set cookies. They can also read cookies that were set, for example, when the user previously logged in to youtube.com. This is especially in the interest of such platforms, if the user is logged into his account because so the video can for example add it to the history of videos watched by the user and use ultimately this information for commercial purposes. For the setting or reading of non-essential cookies, you as the website operator must obtain consent if you are responsible for the video being loaded in the first place (without the prior knowledge of your visitor).
- Processing of personal data: When loading the YouTube video, the IP address of your visitor must necessarily be transmitted to YouTube or Google, so that the video player and later, if necessary, the video can be loaded. Even if Google does not store the IP address and evaluates it for marketing purposes, the IP address is usually processed in the web server, the logs, etc. of the Google servers. Whether there is a justification for processing this personal data other than consent depends on the individual case. However, in our legal opinion, consent is the only possible justification in the vast majority of cases.
- Data processing in unsecure third countries: The prohibition to process personal data in insecure third countries is very impractical, as many services on the internet come from such countries or their servers are located there. However, according to Art. 49 (1) (a) GDPR, consent can be obtained from website visitors for one-off and multiple processing of data in insecure third countries. Consent for regular processing of data in insecure third countries cannot be obtained in this way. Thus, however, at least some of the practical services from insecure third countries can still be used if the website visitor consents to this.
We hope that this (brief) explanation of the most important basics has shown that there is more to a cookie banner than just finding technical cookies. To be privacy-compliant, additional consents must be obtained beyond cookies. In addition, legal considerations must be made, which can often be made by a human being.
How do I find everything on my website for which I need consent?
You now know, in theory, what you should obtain consents for. We have also explained how these rights can look in practice. For your website, however, you should now be able to apply the legislation.
We have explained in the separate article How do I find all services (cookies) on my website? how exactly you can proceed. We explain in detail how to find all services on your website and how to add them to Real Cookie Banner.