How can you tell a good cookie consent tool?
The market for cookie consent tools has become very large. Internationally, providers are sprouting from the ground and promise to solve the cookie problem. How can you tell which tool is suitable for your own website or that of your customers and which is not? How can you recognize a good cookie consent tool?
What does a cookie consent tool have to do? To help you decide, we have compiled the most important points for you. Make the user comparison: For orientation you will find an Excel table at the end of the page. Tick off the most important points if you are still looking for your favourite tool.
- How can you tell a good cookie consent tool?
1. Store data DSGVO compliant
The first and most precarious point: the data that the cookie consent tool provider gets to see basically concerns the surfing history of the entire site. Since the script has to be forcibly included, the providers may get an extremely deep insight into your website performance. The provider of your future cookie consent tool should therefore only store the data on servers that are
- are located within the scope of the DSGVO, preferably Germany
- not hosted by one of the big cloud providers offered by companies from the USA
The background is as follows:
Since the ECJ ruling of 16.07.2020, it is clear that the so-called Privacy Shield is ineffective. The transfer of personal data to the USA is no longer legally compliant under this shield. This simply means that "most US service providers may not be used"(https://www.tigges.legal/jus-letter-datenschutz-eu-us-privacy-shield-unwirksam.html)
In addition, the so-called Cloud Act(https://www.heise.de/select/ix/2018/7/1530927567503187) allows US authorities to access stored data even if the storage does not take place in the US at all. In other words, even if the servers of the American cloud providers are located in Germany, there is still potential access by the US authorities.
Taken together, it currently appears impossible to store personal data such as consent data directly on servers of US providers.
2. Documentation obligation must be fulfilled.
The GDPR imposes a documentation obligation for the storage of the consent(s) given. As a website operator, you must be able to prove at any time that visitor X has given consent Y. Ideally, this is done in a searchable file. Ideally, this is recorded in a searchable log file - so that the operator can verify the consent at any time.
Article 5 (2) of the GDPR defines "accountability". Controllers must be able to demonstrate compliance with certain data protection principles for which they are responsible. Art. 24 (1 ) GDPR specifies that data controllers are obliged to provide evidence that data processing is carried out in compliance with the GDPR.
Unfortunately, this means that many simple cookie banner scripts fall by the wayside: A corresponding log file that is appropriately anonymized and can only be de-anonymized at the moment of the request with the help of the requestor is usually not available.
3. Simply change or revoke
The cookie consent tool must offer visitors the option to change or revoke their current consent. And just as easily as they gave their consent. Ideally, a button is already provided for this in your Cookie Manager, which you can simply have displayed. This should then open the consent mask again at the touch of a button.
This is another point where many simple cookie scripts fail: They do not offer visitors the option to subsequently change or delete the consent given. This only works if the data is correctly stored in the visitor's browser and on the server (see point 2). Therefore, when making your decision, pay attention to whether the tool in your comparison list fulfils this function.
4. Sufficient description and detailed information
The GDPR stipulates that your visitors must be able to make an informed decision. This means that you, as a website operator, are obliged to provide as exhaustive information as possible about every cookie, every script and every integration of other data used.
For this purpose, here is a comparison between a mask that is willing to provide information and one that says nothing at all about the use of the data. It should be obvious which of the masks can be used as a basis for an informed decision and which cannot. On the left the simple mask, on the right the detailed one.
5. Tag Manager functionality not only blocking
There are still many cookie tools, especially older ones, that do not block or disable the scripts used on your site at all - these are ruled out because they are completely unsuitable for current law. You can detect this by running your site through an online scanner. If any abnormalities are still reported, your Cookie Consent Tool is not working correctly.
A particularly important feature that many other providers do not provide is the use as a tag manager. This means, for example, that you do not enter your tracking or other scripts in the page, but directly via the Cookie Consent Tool. This is because, as a matter of principle, pages must be built to be data-efficient. This means that as long as there is no valid consent, no cookie or tracking script may be set.
If, for example, the consent screen is not displayed or cannot be displayed and the tracking or other scripts start without consent, this is exactly what the law wants to prevent. For this reason, the scripts should not be blocked, but should only be included once consent has been granted for them.
Unfortunately, this can often only be achieved with great effort or not at all, especially with modular systems. Therefore, many use the blocking principle as a stopgap solution. As long as you have full control over it, you should rely on the tag manager principle - whereby the Google Tag Manager is not meant here.
If problems occur - and with complex sites this can happen from time to time, especially in connection with individual scripts and solutions - you need a support that helps you, speaks your language and where you can actually call. Therefore, check in advance whether a corresponding support is available.
And check whether you can simply deactivate the Consent mask at the push of a button if problems arise at times when no support is available!
7. Download version - On-Premise option
If you run your website yourself and do not rely on a modular system, then you usually also have the option to install additional software products on your hosting account or server.
If this is given, you should also use this option and run the cookie consent tool of your choice locally! This way, all of your data stays on your server and you retain full control over all of it.
Check which cookie consent tool gives you the option to install it on your own server as well. Minor spoiler: There are very few!
The last and of course not insignificant factor of your decision for a cookie consent tool is the price. Free is of course always the best at this point - but free is usually not free after all. For example, you have to calculate time for it: For the integration, the setup, the test of your site and all functionalities.
This can quickly add up to hours if you have to adapt program scripts, laboriously fiddle with templates, possibly have to call in the agency again, which results in additional costs, and so on.
When buying, make sure that such a solution is possible.
Talk to us - here you can use our contact form. Or call us at 0228 629 17 642. We look forward to your inquiry!