Step by step to consent: This is how it works!

FELD M consults numerous companies on the development and implementation of their cookie strategy in web tracking. What strikes us is that most companies have the same difficulties and challenges. Often the legal departments have very good knowledge of what is allowed and what is not. However, the process of integrating the solutions in compliance with data protections laws on the company’s websites seems huge. Often companies do not know where to start and what an ideal typical procedure would look like. That’s why we’ve decided to give you a step-by-step instruction on how you can work your way up to compliance. Our specialist lawyer for IT law, Dr. Thomas Helbing (www.thomashelbing.com), supported us in this.

 

Four steps towards compliant cookie-consent

1) Capturing of all cookies

First you need to know which cookies you have embedded on your website. There are free “cookie crawlers” available, which generate a list of all cookies embedded on your website. Do you already have a Consent Management System in place? These also often offer a cookie crawling function.
If you now have a full list of all your cookies, you should enter or supplement the following information – we can also help you here.

• Technical identification of the cookie (e.g. “session_id”)
• Explanation of the purpose of use (e.g. “session administration”, “login/authentication in the customer menu”, “data security”, “load balancing”, “storage of the desired font size”)
• Description of the content stored in the cookie (e.g. “selected language”, “session ID”, “name, e-mail and address of the user”)
• Lifetime of the cookie, e.g. “until closing the browser window”, “90 days”, “infinite
• Specification whether the cookie is set by the domain displayed in the URL line of the browser (first-party cookie) or by another domain (third-party cookie). For third-party cookies, specify the domain that sets the cookie, i.e. who is responsible for the third-party cookie?
• Explanations and special features, e.g. “no classic cookie, but storage in HTML5 Local Storage”.

2) Clustering and evaluation of the cookie: Is the cookie “absolutely necessary” to provide the service explicitly requested by the user?

If you have all the information about the cookies you have set, you should group the cookies.

There are many possibilities for groupings and the best one for you depends on various factors:
– Total number of cookies to be clustered
– Type of cookies to be clustered
– Requirements of the Consent Management System
– Requirements of your legal department

From a legal point of view, grouping cookies based on the purposes of usage makes sense, because consent should later, possibly, only be used for data processing based on cookie clusters. The DSGVO forbids linking consent that serves different processing purposes. From our point of view, the following groupings, which can be applied to most individual requirements, have proved their worth:

1. essential/necessary cookies (without these cookies the website cannot be correctly displayed or used, e.g. video player, shopping cart cookie for e-commerce websites)
2. functional cookies (without these cookies essential content of the website cannot be displayed correctly, e.g. chat function, language settings, but the website can otherwise be opened and operated without problems)
3. analytics (these cookies are used for web or app tracking, from range measurement to analysis of the customer journey)
4. marketing (all cookies used for marketing and remarketing activities, in particular pure marketing tools such as Doubleclick, Target, Facebook,…)

For which cookies you need consent now?

Rule of thumb: If your website also works without the cookie, then the cookie is not necessary and consent is needed.
The following cookies do not need consent:

• Cookies, which allow the user to login
• Cookies, which allow administration of the shopping cart
• “Stay logged” or “remember me” cookies, if the user explicitly agrees to use this function

These types of cookies might potentially not require consent (functional and certain analytics):

• Analysis of website visitors by the provider himself or by a contract processor who does not use the data for his own purposes (as the data protection authorities emphasised in various press releases in November 2019), provided that no cross-device or cross-site analysis of surfing behaviour is carried out.

These cookies need consent (certain analytics/marketing):

• Cookies for cross-device or cross-website user tracking
• Cookies for targeted interest-related advertising/remarketing
• Third-Party Cookies, in which the third party collects data which it also uses for its own purposes (e.g. “product improvement”)

If the lifetime of the cookie exceeds the duration of the browser session by for example a few hours (persistent cookies), this is also an indication that the cookie is not absolutely necessary. The same applies to third party cookies.

If sensitive data is involved (e.g. health data), if the user is dependent on visiting the website (e.g. city administration, public provider, monopolist) or if children typically use the website, particularly strict standards must be applied – in case of doubt, cookies can only be set with consent.

3) Obtain consent for cookies which require consent

If you now know how to group your cookies and – related to this – which cookies you need the consent of your users for, you can technically implement your cookie concept. Ideally, you should use a ready-made Consent Management solution from an established provider or implement an individual in-house solution.

But how do you obtain consent for cookies?

The first time a visitor opens a page, a box/pop-up window should appear, the so-called “cookie banner”. This explains which cookies require consent and are planned to be set. Here you can use a shortened description and link to a “cookie policy” for details. In the Cookie Policy, all of the above-mentioned information about the cookies must then be included. Further it needs to be clarified, which cookies are only set with consent and which are “required”.
Cookies are only set if the user has actively performed a confirming action (e.g. setting a checkmark, clicking a button).

For the various cookies separate explanations (checkmarks) are required. In our opinion, however, it is possible to combine consent for several cookies if the purpose of usage of the cookies is similar, e.g. statistical cookies, setting cookies, marketing advertising cookies or cookies that belong to a special tool, e.g. several Facebook cookies.

Cookies requiring consent may not be set in the following cases:

• The user ignores the banner and simply continues to surf without interacting with it.
• The user closes the banner (“X” or “Close” button).
• The user refuses the consent.

The banner should not be placed in such a way that it completely hides the page content or forces the user to make a decision, i.e. the user should be able to ignore the banner. The background to this is that the Basic Data Protection Regulation does not permit any “interruption” of the service through consent (cf. recital 32 sentence 6 DSGVO). In the case of cookie consent, the requirements of the DSGVO on consent must also be observed.
Refusal of consent to a cookie is not allowed to result in the information offered on the website no longer being retrievable, as otherwise the consent may be regarded as involuntary and ineffective.

Whether the user has given consent or not can and should be stored in a Consent-Cookie (without ID).

If consent has been given: The consent should expire after 6-12 months and the user should then be asked again for consent (recommendation).
If the user has not given consent, the user can be asked again for consent after 6-12 months.

If the user has given consent, he must be able to revoke it at any time – just as easily as he has given consent. The “cookie policy” must enable the user to view and revoke his or her previous consent.

4) Explain all cookies in a cookie policy

In the Cookie Policy you inform your website users about the embedded cookies. You should group the cookies and present the information, mentioned above, such as storage duration, intended use, etc. If you use a Consent Management System, it makes the depiction easier, these tools provide basic cookie information and manage it centrally so that your cookie policy is always up to date. Only the parameters you have defined, such as individual storage duration, etc., you would need to provide.

 

And data protection? – Cookie Consent and Privacy Consent

Where personal data is processed using cookies, it must be checked in parallel whether consent is required for data processing or whether processing is based on a balancing of interests.

The data processing must be explained in “Data Protection Information”, whereby all information required according to Art. 13, 14 DSGVO must be provided. Information must therefore be provided on:
– Data processed
– Purposes of processing
– Storage period
– Data receiver
– Data transfers to non-EU countries
– Legal basis (consent or weighing of interests)
– Responsible company (is not always easy in the advertising environment, because the advertising network operator may be responsible or co-responsible here)

If you obtain cookie consent, you can associate it with the data protection consent. The same principles as for the cookie banner then apply. The privacy statement and the “cookie policy” can also be combined in one document, which must, however, clearly state both functions in the designation.