EU: The basics of cookie banners

2B Advice
On the Internet, what are know as "cookie banners" can also be found on many websites. But most of the existing banners do not meet the legal requirements for adequate information and effective consent. What are the requirements for this?

In its 8th activity report, the Bavarian State Office for Data Protection Supervision has published a well-founded overview of the requirements for "cookie banners" by which sufficient information and effective consent to the use of cookies is guaranteed:

When opening a website for the first time, the banner should appear, for example, as a separate HTML element. As a rule, this HTML element consists of an overview of all processing operations requiring consent, which can be sufficiently explained by naming the actors involved and their function and can be activated via a selection menu. Activating in this context means that the selection options must not be preset.

The banner first has to block all scripts from a website or web apps that potentially capture user data.

The data processing may only take place if the website visitor has given consent by an active action such as setting a check mark in the banner or the click of a button, e.g. "I agree." The widespread "clicking away" or "scrolling" on a homepage is just not enough!

The controller may and should store the giving of consent from the website visitor so that the "cookie banner" does not reappear on a repeat visit to the website and the consent is secured for evidence purposes.

To fulfill the proof obligations of Art. 7 (1) GDPR, it is incidentally not required pursuant to Art. 11 (1) GDPR that website visitors are identified directly. Indirect identification is sufficient for this.

Consent can be revoked at any time and without stating reasons, so the controller must implement appropriate options for revocation.

Although banners are colloquially called "cookie banners," the term "consent banner" would be more appropriate. In fact, controllers must also ensure that consent is not only obtained for the use of cookies. If, in addition to cookies, other methods are used to track website visitors, such as, tracking pixels or canvas fingerprinting, consent must also be obtained for these methods. This would ideally take place by extending the consent on the "cookie banner."

Photo: © svyacheslav -

Further information:

Rating: 4.5 (2)
Wildcard SSL Certificates

© 2003 - 2019 | 2B Advice GmbH - the privacy benchmark | Company Registration No.: Bonn HRB 12713
Joseph-Schumpeter-Allee 25 | D-53227 Bonn | Germany | 
Phone +49 228 926165-100 | Fax_+49 228 926165-109 | Email 
No responsibility for the accuracy of the information. Please also note: Privacy Notice | Legals
2B Advice GmbH Italy | 2B Advice LLC USA | 2B Advice s.r.o.Slovakia
United States of America | Slovakia | Germany |
Bonn | Berlin | München | San Diego | Brezno | Verona | Vienna