Don't use a sledgehammer to crack a nut

Data protection-compliant websites in the area of conflict between GDPR, cookie ruling and ePVO

Protecting personal data on the internet is a challenge for which a binding legal basis is still lacking. The current confusion of the ePrivacy Directive, Cookie Directive, Telemedia Act, General Data Protection Regulation, Cookie Ruling and ePrivacy Regulation is causing uncertainty in many places. There is too much room for interpretation for companies, and the resulting regulations for handling personal information are too varied. Regardless of the current situation, companies should set up their corporate website in such a way that they are on the safe side in terms of data protection law.

The legal background to the current data protection discussions is very complex. It is therefore worthwhile to first compare the various requirements with each other. The ePrivacy Directive 2002/58/EC (2002) regulates the processing of personal data and the protection of privacy in electronic communications. The Cookie Directive 2009/136/EC (2009) supplements the ePrivacy Directive: providers must inform users in order to be allowed to store cookies on their end device. In Germany, the legislator has implemented the Cookie Directive by making adjustments to the Telemedia Act (TMG): companies must not only inform users about the setting of cookies, but also offer them the opportunity to object (opt-out). The General Data Protection Regulation (GDPR, 2018) in turn ensures basic protection when processing personal data.

Will cookies soon be a thing of the past?

Originally, the ePrivacy Regulation (ePR) was supposed to come into force at the same time as the GDPR - which did not happen because the EU Parliament, EU Commission and EU Council have still not been able to agree on a joint draft. Like the ePrivacy Directive, the ePR is also intended to protect personal data in electronic communications. Cookies are at the center of this. In order to be allowed to set cookies and create user profiles, the data subject must actively consent (opt-in) - unless the cookie is absolutely necessary to provide the corresponding service. The ePrivacy Regulation thus clarifies the sometimes vague or missing wording of current legislation in the specific area of cookies and data collection. The European Court of Justice (ECJ) reinforced this view in October 2019. The much-discussed cookie ruling prohibits cookie consent banners: they merely inform users that the website operator sets cookies. It is also no longer permitted to pre-fill the consent field with a tick, which the visitor must then remove.

Informing visitors clearly

To avoid violating the law and risking severe fines, companies should take action sooner rather than later. One measure that can be implemented quite easily is the legally compliant design of the cookie banner. As soon as users visit a website, a clearly visible banner should appear, which ideally fits in harmoniously with the corporate design of the site and which users perceive as an organic part of the site. Experience has shown that this increases the willingness to agree to the setting of cookies. On the one hand, the text of the banner should explain clearly why the company wants to set cookies. On the other hand, visitors must be given the opportunity to adjust their settings individually. In addition, the privacy policy should be linked directly in the cookie banner. There, users should be able to call up the banner again later to change the original configuration.

All good cookies come in threes

Of course, companies want users to allow as many cookies as possible (opt-in). That's why it can be easier to click the "Accept" button in the banner than to configure the cookie settings. But be careful: presenting users with an extensive list of all the tracking and analysis tools used or asking them to adjust their cookie settings in the browser is very off-putting. It is better to give a few options and explain them briefly: Essential cookies ensure the functionality of the website and therefore cannot be deactivated. Functional cookies are used to analyze website usage and thus continuously improve its performance and functionality. Marketing cookies, on the other hand, are necessary to create user profiles and - on this basis - to display personalized advertising content. Many companies are unsure about the cookie banner. Usually, nothing more than a banner with clear selection options is needed. And sometimes not even that. Because the legal situation is so opaque, some companies want to display an unnecessarily extensive and therefore costly banner, even though they set no cookies or only essential cookies. Neither of these require a banner. Examples include technically necessary session cookies to save the language setting or shopping cart cookies. Without them, it would not be possible to display the desired items in the shopping cart - an indispensable basic function of every online store.

Standing up to data octopuses

Just as important as cookie banners, but far more complex, is integrating content from third-party providers into a website and ensuring that personal data is handled in accordance with the law. In order to be able to like and share website content on social media platforms, the buttons transmit sensitive user data about surfing behavior to the operator of the respective social network each time the page is accessed - regardless of whether the user is a member of the network or logged in. The user data collected via embedded cookies usually flows to US servers - where it is no longer subject to European data protection. What many people do not know: Website operators can prevent this data collection. Companies that use the open-source content management system (CMS) TYPO3, for example, must actively add tracking mechanisms. Since version 9, cookies are no longer set in the standard installation. But even companies with a different CMS are not defenceless against the collecting frenzy of data octopuses.

Protecting the privacy of users

There are tools that protect the privacy of website visitors. As soon as like and share buttons are integrated into a website, social plug-ins usually record the user's IP address in order to log their further activities - even if they do not click on the buttons. Corresponding tools, on the other hand, only establish contact between the social network and the visitor when the button is clicked. This means that users do not leave an unwanted digital trail and social networks cannot create complete surfing profiles. Other tools allow videos to be integrated into a website in compliance with data protection regulations. Even if a video is embedded directly in the respective social network, the data transfer takes place in the background via the website operator's server. The video service therefore only receives the operator's data, but not that of the visitor.

Sometimes two clicks are better than one

One service that does not yet support these tools is Google Maps. However, to prevent Google from collecting user data, website operators cannot avoid a two-click solution. The user has to make two clicks to use a website - which is somewhat less convenient. To display the location of a company on Google Maps or to call up directions, a small banner first appears with a two-click solution. It informs the visitor that they must agree to the privacy policy of the provider, in this case Google, in order to use the interactive map. Only then is the data transferred.

Do not overshoot the mark

What a company decides on is a highly individual matter. Due to its complexity, professional advice from a lawyer specializing in data protection is essential - as is a needs analysis carried out by an experienced IT service provider. The focus here is on three questions: What third-party technology does a company use? Where do these solutions come from? And do they demonstrably guarantee that personal data is handled in accordance with the law in this country? Other important questions are: Do we need Google Analytics? And what data does it generally make sense to collect? Experience has shown that tracking is the biggest sticking point. Some users are now sensitized to the issue of data protection and are therefore not prepared to opt-in. Others are annoyed and agree to the setting of cookies without being aware of the consequences. A reputable IT service provider points out the legal ambiguity and the associated risk to companies. They should raise awareness of the issue of data protection without stirring up fears. In practice, companies need to find the right balance between data protection and usability for their corporate website. And the following applies: don't shoot sparrows with cannons.

Author: Radek Paluszak