How must cookie banners be designed? – Decision of the Higher Regional Court of Cologne, judgement of 19.01.2024, ref. 6 U 80/23
“Cookie banners” or so-called cookie consent tools are primarily used to obtain the necessary consent from users of a service before cookies are stored on their devices. These small pieces of data can be useful for website operators in many ways, for example to analyse user behaviour, provide personalised experiences and ultimately improve the user-friendliness of their websites. The need for cookie banners arises from the Telecommunications Telemedia Data Protection Act (TTDSG), as well as the General Data Protection Regulation (GDPR).
The GDPR requires website operators to be transparent about how they collect and otherwise process personal data. Likewise, if the data processing cannot be based on another legal basis, consent must be obtained. The prior consent of users would be required, especially when accessing information that is available on the user’s device or in the event that information is stored on the user’s device that is not “strictly necessary” for the operation of the website. According to the GDPR, users must be able to give, refuse or withdraw their consent on the basis of sufficient information without consequences.
By including a cookie banner, website operators ensure that they respect the privacy of their users and comply with legal requirements. This not only creates trust among visitors, but also avoids potential legal consequences for the operators. However, not all cookie banners automatically comply with legal requirements. The design of these banners also plays a decisive role. In its decision of 19 January 2024, the Higher Regional Court of Cologne recently ruled on when a cookie banner is unlawful.
General regulations for cookie banners
Cookie banners must fulfil certain legal regulations and requirements in order to guarantee the data protection and privacy of users on the internet. These requirements are also derived from the provisions of the GDPR for effective consent within the scope of § 25 TTDSG.
This means that cookie banners must provide clear and comprehensible information about which cookies are set and for what purpose. This includes information on whether cookies are absolutely necessary for the provision of the website and its functionalities or whether they are used for other purposes, such as the analysis of user behaviour, the personalisation of content or for advertising purposes. Users must also actively and voluntarily give their consent to the use of cookies. This means that no cookies may be loaded before the user has given their consent, except those that are absolutely necessary.
Cookie banners must therefore make a clear distinction between strictly necessary cookies and optional cookies. Necessary cookies are those that are required for the basic functionality of the website. Optional cookies, on the other hand, are e.g. tracking and analysis cookies. Users must be able to customise their preferences regarding the various cookie categories. A blanket consent or rejection of all cookies does not fulfil this requirement.
Judgement of the Higher Regional Court of Cologne of 19.01.2024, Ref.6 U 80/23
Website operators generally have an interest in ensuring that the user also consents to the use of optional cookies. In practice, this often leads to banner designs that aim to influence the user’s perception and behaviour through habituation or complicated decision-making processes (“dark patterns”). An example of this is the design of consent buttons in bright colours, while the “decline” button is inconspicuously highlighted in grey (so-called “nuding”). The extent to which such design decisions are permissible or restrict the free choice of the user cannot be answered in general terms. In principle, website operators are free to design their cookie banners as long as they do not conflict with the requirements for effective consent.
In the aforementioned decision, the Higher Regional Court of Cologne ruled on the design of an unlawful cookie banner. The following decision can therefore provide guidance on the issues mentioned above.
Facts of the matter
The defendant website operator set optional cookies on its website and obtained the corresponding consent via a cookie banner. There were two buttons on the first page of the banner: An “Accept” button with a blue background and a greyed-out “Settings” button. There was also a cross in the top right-hand corner that could be used to close the banner. Next to this cross was the text: “Accept and close”.
Decision regarding cookie banners
In the opinion of the Higher Regional Court of Cologne, the cookie banner on the defendant’s website did not comply with the legal requirements of the legislator. In particular, the court criticised the fact that the cookie banner was not transparent enough. In particular, the option to choose between “Accept” and “Settings” was considered insufficient for genuine consent within the meaning of the data protection regulations. Users are not offered an option to refuse consent that is equivalent to giving consent. This unlawfully influences the voluntary nature of consent. The design of the banner meant that users who wanted to reject cookies were inconveniently led to another menu. In this case, the “Accept” option immediately caught the eye with its striking blue colouring, while options to reject were kept in an inconspicuous grey. In the further menu, consent options were also highlighted in colour, while unwanted cookies had to be switched off manually. In addition, the X labelled “Accept and save” in the top right-hand corner falsely suggested the option to reject.
The Higher Regional Court of Cologne therefore ruled that the design choice in question, in particular the “Accept & Close” button in the top right-hand corner, violated the principles of transparency and voluntary consent, meaning that it was not possible to obtain effective consent from users.
Outlook and Conclusion
This case illustrates that the way in which consent options are presented can have a significant impact on user decision-making. Websites that do not design their cookie banners in accordance with legal requirements not only risk legal consequences, but can also lose the trust of their users.
It is essential for website operators to take data protection regulations seriously and to use user-friendly cookie banners with real choices to protect themselves from warnings or regulatory action. With constantly evolving case law and technologies, it is crucial to keep an eye on current trends and judgements in the field of data protection. Finding the balance between user-friendliness and legal requirements will remain an ongoing challenge. For advice in individual cases, please contact our lawyers at LLP Law|Patent in Munich.
Richard Metz | Rechtsanwalt (Lawyer), Authorized External Data Protection Officer (TÜV Certified)
Mr. Metz is your point of contact for legal issues concerning data protection. He will support you, in particular, with the appropriate data protection when introducing new products, with the preparation and examination of the appropriate data protection of contracts and documents or the legal examination and evaluation of data processing procedures or cross-border data protection issues. A further focus of his work is on copyright law and competition law.
Mr. Metz is also an external data protection officer (TÜV-certified) for nationally and internationally operating medium-sized IT companies and start-ups.
