The use of cookies is important for website operators in order to optimize the user experience and improve user interaction on the website.

However, the use of cookies also leads to the obligation to comply with the data protection provisions of the GDPR.

In this article, we will inform you about which types of cookies require explicit consent, how to design a legally compliant cookie banner and what legal consequences may arise if these requirements are not met.

Our aim is to give you practical tips on how you can operate your website in compliance with the GDPR.

When you visit a website, small text files called cookies are stored on your computer or mobile device. They make it possible to store information about your activities and settings from a page so that analysis tools and other functions can work properly.

Cookies enable, for example, the personalization of content and the performance of analyses that help to improve user-friendliness.

However, the use of cookies that are not technically necessary requires special attention in terms of data protection. In order to understand which cookies are technically necessary and which are not, we provide a brief overview of the types of cookies below:

• Session cookies: Temporary cookies that are only stored while you are visiting a website and are deleted afterwards. They help, for example, to save items in the shopping cart.
• Persistent cookies: These remain stored on the user's device even after the browser is closed. They save settings and preferences across multiple visits.
• First party cookies: These are set directly by the website visited and improve functionality by remembering user settings.
• Third party cookies: Are set by domains other than the visited website, often by advertising providers, to track surfing behavior and display personalized advertising.

Cookies that are not technically necessary may only be set with the consent of the website visitor.

If your website uses cookies that are not technically necessary, there is indeed a cookie banner obligation.

The exact regulations are laid down in the data protection laws of the European Union, in particular in the GDPR (General Data Protection Regulation) and the TDDDG (Telecommunications Digital Services Data Protection Act).

These laws require that website operators inform their visitors transparently about the use of cookies and obtain their consent before cookies are stored on the user's device.

According to the GDPR, website operators must

• Ensure transparency: Visitors must be clearly and comprehensively informed about which cookies are set and for what purpose.
• Obtain consent: The active consent of users must be obtained before setting non-essential cookies (e.g. for tracking or advertising). This means that no such cookies may be set before confirmation.
• Use the opt-in procedure: Consent must be given through a deliberate action by the user, which means that preset consents are not permitted. An example of preset consent would be an already ticked box in the cookie banner, which the user would have to actively deselect. Instead, the user must check the box themselves to give their consent.
• Offer a right of withdrawal: Users must be able to withdraw their consent at any time.

The TDDDG supplements the GDPR and specifies that the storage of information on a user's device is only permitted if the user has been informed and has given their consent.

Non-compliance with the cookie regulations can have considerable consequences:

• Fines: Violations of the GDPR can be punished with severe fines of up to €20 million or 4% of the company's annual global turnover.
• Legal measures: Users and data protection authorities can take legal action against the website operator.
• Loss of trust: The handling of user data has a direct impact on user trust in the website. Failure to comply with data protection regulations can lead to a considerable loss of trust and damage the company's reputation.

Therefore, it is not only legally required to comply with the cookie banner requirements, but it also contributes significantly to building trust and the legal security of websites.

Relevant case law and rulings on the cookie banner obligation

Various court rulings at national and European level have further specified the requirements for the cookie banner obligation. Important rulings include:

• ECJ ruling (Planet49): The European Court of Justice ruled that pre-ticked boxes for consenting to the use of cookies are not permitted. Users must actively agree.
• BGH ruling: The Federal Court of Justice confirmed the requirements of the ECJ and emphasized the need for active and informed consent.

.

Not all cookies require the consent of website visitors. There are certain types of cookies that may be set without prior consent.

Below we clarify which cookies require consent and which do not.

Explanation of the consent requirement for cookies

According to the GDPR and the TDDDG, website operators must obtain the consent of users before setting cookies that are not strictly necessary for the functioning of the website.

These cookies typically include those used for marketing or tracking purposes. Consent must be explicit and informed. This means that users must be clearly informed about what data is being collected and for what purpose.

.

There are some types of cookies that do not require consent from the website visitor because they are considered technically necessary.

Technically necessary cookies

Technically necessary cookies are essential for the operation of a website. They enable basic functions such as page navigation and access to secure areas of a website. Without technically necessary cookies, a website would not function properly.

Examples of technically necessary cookies are

• Session cookies: These cookies are necessary for a website to operate correctly. They store temporary information that is required to enable the user to navigate through the pages and use certain functions (e.g. saving items in the shopping cart).
• Authentication cookies: These cookies are used to identify users when they log in to the website. They are necessary to ensure that only authorized users can access protected areas.
• User input cookies: These cookies store user input to enable or facilitate functions such as form processing.
• Security cookies: These cookies are necessary to ensure the security of the website by preventing misuse and fraud.
• Preference cookies: These cookies store the user's settings, such as the preferred language or display options, to improve the user experience.

.

Technically unnecessary cookies are not essential for the operation of the website and are mainly used for analysis, marketing and tracking purposes.

These cookies help website operators to understand how users interact with the website and enable targeted advertising to be displayed.

Examples of technically unnecessary cookies are

• Cookies for web analytics tools: These cookies from web analytics tools, such as Google Analytics, collect data about website usage to improve performance and analyze user behavior.
• Advertising cookies: These cookies are used to display relevant advertisements to users and measure the effectiveness of advertising campaigns.
• Social media cookies: These cookies enable the integration of social media functions and the sharing of content on social media platforms.

.

A well-designed cookie consent banner is crucial to meet the legal requirements while providing a positive user experience.

Below we provide you with the necessary elements, design tips and examples of effective cookie consent banners.

Necessary elements of a cookie consent banner

A cookie consent banner should contain the following elements

• Clear indication of the use of cookies: the banner must inform users that cookies are used and explain the purpose of these cookies.
• Consent options: There should be options for users to give or deny consent. This can be done using buttons such as "Accept" or "Decline".
• Decline button: A button that allows users to decline the use of non-essential cookies is mandatory. It must also not be more complicated to reject cookies. Both accepting and rejecting must be possible with a single click.
• Detailed information: A link to a detailed cookie policy or privacy policy that provides further details about the types of cookies and how they are used.
• Preference settings: A way for users to customize their cookie settings, e.g. what types of cookies they want to accept (technically necessary, marketing, analytics, etc.).
• Clear action: A clear call to action, e.g. "Accept" or "Customize settings", so that the user can easily make an informed decision.

.

To ensure that the cookie consent banner is user-friendly and GDPR-compliant, the following tips should be observed:

• Clear and simple language: avoid technical or legal terms. The text should be easy to understand.
• Eye-catching design: The banner should be eye-catching but not distracting. Use colors and contrasts that make it easily visible.
• Responsive design: Make sure that the banner is appealing and functional on all devices and screen sizes.
• Ease of use: Users should be able to set their preferences with just a few clicks.
• Transparency and openness: Provide clear information about why and how cookies are used. This promotes user trust.

.

The use of Google Ads and Google Analytics on your website requires special attention in terms of compliance with data protection regulations and the cookie banner obligation.

Special requirements for Google Ads and Google Analytics

Google Ads and Google Analytics use cookies for user behavior analysis and targeted advertising. Users must be fully informed about the processing of their data by these services and give their express consent before tracking and marketing cookies may be set.

This consent is required in particular in accordance with the provisions of the GDPR and the TDDDG. Furthermore, information on the transfer of data to Google and third parties must be disclosed.

Users also have the right to withdraw their consent at any time and to deactivate the use of Google Analytics.

.

You can find out if your website uses cookies by using your web browser's developer tools.

You can also use tools such as CCM19's cookie scanner to automatically check your website for cookies.

The cost of a cookie banner varies depending on the provider and the range of functions. Some tools offer free basic versions, while extended functions and larger usage packages are subject to a charge.

For example, CCM19 offers a permanent free plan for up to 5,000 monthly impressions. For more impressions, additional domains or more functions, a suitable fee-based tariff must be selected.

.

Step 1: Sign up for a free CCM19 account

• Visit the CCM19 website and register for a free account.

Step 2: Enter domain and scan

• After your first login, you will be guided through the onboarding process.
• Enter your domain and have it scanned for cookies and scripts.

Step 3: Generate and insert the embed code

• Check the scan results and adjust the entries.
• At the end of the onboarding process, you will receive an embed code.
• Copy the code and paste it into the header area of your website.

.

CCM19 offers various tariffs that are tailored to the different needs and requirements of websites. Here is an overview of the most important packages and their functions:

1. Free package (€0.00):

• 1 domain
• 5.000 impressions / month
• 2 languages (DE/EN)
• Standard features: Automatic updates, cookie table for the privacy policy, permanent scanner, templates for cookies
• TDDDG-, DSGVO-, CCPA-, CH DSG, BDSG-, LGPD-, POPIA-compliant

2. Starter package (€7.90 per month):

• 2 domains
• 20.000 impressions / month
• All functions of the Free tariff
• Own logo, own languages
• Iframe blocking (e.g. YouTube, Google Maps)
• Multi domain support
• Standard support by e-mail

3. Business package (€19.90 per month):

• 5 domains
• 100.000 impressions / month
• All functions of the Free and Starter tariffs
• Any number of users, group and rights management
• 24+ languages, individual CSS for widgets and iframes
• Graphical analysis of content data, A/B tests
• Google reCAPTCHA, GDPR-compliant, consent sharing across (sub)domains
• Prioritized support by email and phone

.

1. Small website (e.g. personal blog):

• Recommended package: Free plan
• Requirements: One domain, limited views (up to 5,000 impressions/month).
• Example: For a personal blog with low traffic and without complex integrations, the Free package is sufficient. It offers all the basic functions to fulfill the cookie banner obligation.

2.Small companies or associations
(e.g. blogs, local stores & service providers)

• Recommended package: Starter plan
• Requirements: Up to 2 domains, medium traffic (up to 20,000 impressions/month).
• Integration of iFrames such as YouTube or Google Maps.
• Example: A medium-sized online store that integrates videos and maps will benefit from the Starter package, which offers advanced customization options and multi-domain support.

3. Large websites or e-commerce platform (e.g. online store):

• Recommended package: Business plan
• Requirements: Multiple domains (up to 100 ), high traffic (up to 5 million impressions/month), advanced data protection and analysis tools, any number of users.
• Example: A large corporation with several international websites and high data protection requirements needs the Business package, which offers comprehensive customization options, detailed analyses and prioritized support.

By choosing the right package for your specific needs, you can ensure that your website complies with the cookie banner obligation and respects the privacy of your users.

.

Compliance with the cookie banner obligation is crucial for data protection and the trust of your website visitors. By using an effective consent tool like CCM19, you can ensure that you comply with legal requirements while providing a positive user experience.

By choosing the right CCM19 package for your website, whether for a small personal site, a medium-sized e-commerce platform or a large corporation, you can ensure the privacy of your users and manage consent efficiently.

Follow the best practices mentioned in this text to make your website both privacy-compliant and user-friendly.

.