Data privacy pitfall: Cookie banners must allow a genuine choice

Cologne Higher Regional Court (OLG Köln) clarified in a judgment in January 2024 (6 U 80/23 (available in German only)) that cookie banners must be designed fairly and consumers given a real choice as to whether they wish to accept cookies or not. The case was brought by a consumer protection organisation. It successfully demanded that the first display on a cookie banner provide the option of accepting or rejecting cookies. It also successfully objected to a design with an X placed next to the words “Accept and close”.

Background

The defendant in the proceedings was a website provider that installed technically unnecessary cookies on its website and used a cookie banner to obtain consent for that purpose. This was what it looked like on the first page:

Cologne Higher Regional Court upheld the claimant’s argument that the design of the defendant’s cookie banner did not meet the requirements of data privacy law. The court explained that cookie banners could generally be appropriate for obtaining consent to the use of cookies under data privacy law. These banners may be necessary if a cookie (or similar technology) is not strictly necessary for providing a telemedia such as an app or website, the court added.

Legal classification

The court found that the defendant’s cookie banner did not meet the statutory requirements – in this case the GDPR and the German Telecommunications-Telemedia Data Protection Act. The defendant had used an unclear design for its cookie banners, according to the court.

Simply having a choice of either “Accept” or “Settings” was not a real choice within the meaning of the data privacy requirements for giving informed consent, it said.

According to the court, the specific design did not give data subjects an equivalent option to reject cookies; instead, they were being directed to give their consent and prevented from rejecting the cookies. The consent given therefore could not be regarded as voluntary and sufficiently informed.

The court stated that data subjects could give their consent at the first level of the cookie banner, but if they wished to decline, they were redirected to the second level. In addition, the “Accept” button was displayed in eye-catching blue, while the word “Settings” (for rejecting cookies) was grey. Furthermore, also at the second level consent was highlighted in colour and in the same design, while cookie rejection had to be activated manually (cookie opt-out). In addition, an X was positioned in the top right-hand corner next to “Accept and save”, giving the impression that consent could be refused, the court said.

Therefore, the design of the cookie banner with the linked button labelled “Accept & close X” in the top right-hand corner also breached the principles of transparency and the voluntary nature of consent, the court said.

Summary and practical implications

The court’s ruling emphasises that website operators are not allowed to design consent declarations in such a way that users are influenced into making a decision that is disadvantageous to them (known as dark patterns).

The cookie banners often used by companies in practice make it harder for data subjects to reject online tracking in most cases. Although companies are basically free to choose how to design their own cookie banners, the options displayed must be able to be selected in an equal manner.

The Bavarian Data Protection Office launched a campaign (available in German only) in December 2023 which is intended to run until May 2024 to review compliance with privacy requirements on websites and in apps. The design of consent processes is the focus of this campaign. This demonstrates that companies should review their cookie banners or cookie dashboards to see if they comply with the statutory requirements, the Bavarian regulator’s questionnaire and also the Guide for Telemedia Providers (available in German only).

If they fail to do so, companies will face the risk of actions for injunctions from consumer protection organisations, and of course the risk of fines and claims for damages.