BlnBDI (Berlin) - 521.14877.15
From GDPRhub
| BlnBDI - 521.14877.15 | |
|---|---|
 | |
| Authority: | BlnBDI (Berlin) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 7 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 19.09.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 521.14877.15 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | German |
| Original Source: | BInBDI (Germany) (in DE) |
| Initial Contributor: | mg |
In one of the cookie banner mass complaints filed by noyb, the Berlin DPA found that collection of consent by the controller did not fully comply with the GDPR. However, given the improvements in the cookie banner, the DPA did not adopt any corrective measure.
English Summary
Facts
This decision was adopted in the context of the cookie banner mass complaints filed by the NGO noyb.
In 2021, the data subject visited a website managed by the controller. According to the data subject, the cookie banner designed to collect users’ consent did not comply with the GDPR. In particular, there was no option to reject cookies on the first layer of the banner, but only a link to a second layer. Moreover, the design of the banner was deceptive. Finally, the controller had not implemented a floating button to withdraw consent, in violation of Article 7(3) GDPR, which states that it shall be as easy to withdraw as to give consent.
After the data subject lodged a complaint with the Berlin DPA, the controller changed the design of the cookie banner. More precisely, the link to reject cookies was moved from the explanatory text to a more visible area of the banner. The controller also provided a link on the bottom of the webpage, from where it was possible to open the second layer of the cookie banner and withdraw consent. This was not a floating button. Finally, the controller deleted all the data concerning the data subject.
Holding
The Berlin DPA stressed that the collection of a valid consent shall meet the requirements set in Article 7 GDPR.
Concerning the existence of a rejection button on the first layer of the banner (‘violation type A’ according to the EDPB cookie banner task force), the DPA clarified that such an option is necessary only insofar as the cookie banner prevents the user from interacting with the webpage. In the case at issue, both 'accept' and 'reject' option were provided in the first layer, despite their different design. Therefore, violation type A did not occur.
Concerning the alleged deceptive design (‘violation types C, D, E’), the DPA stressed that Article 4(11) GDPR requires that consent collected by the controller shall be freely given, specific, informed and unambiguous. In particular, ‘freely given’ means that the rejection of consent shall not entail an extra effort by the data subject, as in the case of a reject-button on a second layer of the banner (where the accept-button is on the first), the case of a link hidden within the main text of the banner, or the case of a reject-button which is visible only after scrolling the banner (where the accept-button is immediately visible). In other words, violations concerning deceptive design occur when the option to reject is not clearly offered on the first layer of the banner. That being said, the DPA endorsed the idea that the GDPR does not contain fixed requirements for the design of cookie banners: compliance with the regulation should be assessed on a case-by-case basis.
In the present case, the DPA noticed that the controller moved the reject-button from the text to the bottom of the banner, next to the accept-button. It was not necessary that both options were equivalent or designed in the same way. The DPA also pointed out that this design solution was the dominant one on the market and consequently users could find the reject option where they expected to find it.
However, the DPA found that consent was not ‘informed’, as both the cookie banner and the privacy policy of the controller were incomplete and did not provide sufficient information about the processing activities that followed the collection of the cookies.
Concerning the option to withdraw consent (‘violation type K’), the DPA stated that a floating button is not necessary. Nevertheless, in the case at issue the DPA held the option to withdraw consent not sufficiently clear, as the withdraw-button could be find only after a difficult search on the controller’s website. Therefore, Article 7(3) GDPR was not respected and violation type K occurred.
Notwithstanding the violations identified, the DPA decided not to further proceed against the controller, as the latter had meanwhile brought its banner in compliance with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Berlin representative for
a
Data protection and
Freedom of information
Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61, 10555 Berlin
521.14877.15
NOYB - European Center for Digital Rights Business name:
Department:
By email (PGP encrypted): Processor: XXXXXXXXX
XXXXX Phone: XXXXXXXX
Extension number: 332
Date: September 19, 2023
Closing message
Your submission of August 10, 2021 on behalf of XXXXXXXX
Your reference: C-037-10365 regarding mirapodo.de
Ladies and Gentlemen
We hereby inform you of the completion of our review process, based on
the above Entry has been initiated. This final message was the sighting of the
Website used by the complainant XXXXXXXX on April 9, 2021. In the
As a result, there was a violation, which we pointed out to the person responsible
have. After the violation was immediately remedied upon our request,
We have, at our best discretion, refrained from doing so
to take supervisory measures.
Reason:
l. We discovered the following facts:
Berlin Data Protection OfficerTelephone: 030 13889-0 Email: mailbox@datenschutz-
berlin.de
and Freedom of Information (BlnBDl) Fax: 030 215 50 50 Website: www.datenschutz-berlin.deAlt Moabit 59-61, 10555 Berlin Office hours: Mon.-Fri. 10 a.m. - 3 p.m., BERLIN
Entrance: Alt-Moabit 60 Thursday 10 a.m. to 6 p.m., or by appointment
1. Subject of input
On August 10, 2021, you complained to us that on the website mirapodo.de,
which is operated by myToys.de GmbH, illegally uses cookies and similar
Technologies are used and personal data streams to third-party servers
take place. In your submission you stated that the complainant accessed the website on
April 9, 2021. The complainant discovered that he was
Obtaining consent for the use of cookies, etc. a banner was displayed. The
Banner contained explanatory text including a link in the body text with the name
"Reject cookies" and a large red button labeled "OK" and a link
"Settings" below the text.
Cookies wrinkled'
We could not clearly determine from the description of the facts in the submission whether,
when and how the complainant uses the banner “while visiting the website”.
has interacted.
According to your review, effective consent was not obtained with this banner because
There was no reject option at the first level (“violation type A”). In addition, the link,
Color and contrast design is misleading (“violation types C, D and E”). Nevertheless, on the
Cookies have already been set on the complainant's device "while visiting the website".
and data has been disclosed to third parties. After all, revoking consent is not the case
was as easy as granting it, since the website operator did not activate the option,
to display a small, permanently visible "floating" symbol with which the banner can be displayed
can be called up again (“Violation Type K”).
The complaint was accompanied by technical documentation about which cookies are on the
The complainant's device was set and which http requests and responses
between his browser and third-party servers. Accordingly, among other things, to
Connections between his browser and servers of adnxs.com, adsrvr.org, doubleclick.net
and
Since 2 of 17 criteo.com and cookies named "uuid2", "uid", "IDE", "T DD" and
“TDCPM” is set on his device. A unique user was created in the cookies
Identification number (UD) is stored. When visiting the website it was
The port used is assigned the IP address XXXXXXXXX.
Before you lodge a complaint with us, you have already contacted the website operator yourself
used to highlight the themes of the complaint. The website operator has this
responded on June 29, 2021 and informed you that there were visual changes on
banners were made. In your submission you therefore stated that you were aware of it
be that the person responsible is responsible for his behavior regarding violation types C, D and E according to you
I have set a speech.
2. Background of the input
The disputed submission is part of a NOYB project. On May 31st and August 10th
In 2021, NOYB has on the website https://noyb.eu/de/noyb-sets-dem-cookie-bannerwahnsinn-
final information about the project is published. Accordingly, NOYB has in one
First step up to 10,000 websites that use the consent management provider OneTrust,
scanned automatically using self-developed software, i.e. H. regardless of the visit
of the websites by a (affected) natural person. The publication also states
explains that the system used by NOYB “automatically generates complaints” and
The companies then receive an informal draft complaint, a step-by-step
Step-by-step instructions (PDF) on how to adjust your software settings and 60 days time,
to cooperate."
As of May 31, 2021, NOYB initially has 560 website operators where one or more of the
Self-categorized violation types were detected, "warnings" and
“Draft complaints” were sent and the operators were asked to change the cookie banners according to the
to redesign the requirements formulated by NOYB. In the event that this is not within
If the deadline was set, NOYB announced that it would lodge a formal complaint with the
to submit to supervisory authorities. In August 2021, NOYB then has a total of 422 complaints
sent to several European supervisory authorities.
On March 4, 2022, NOYB announced in a website post that it would accept an additional 226 complaints
Submit cookie banners to a total of 18 supervisory authorities
(https://noyb.eu/de/weitere-226-complaints-against-irrefuehrende-cookie-banner-
submitted), which was finally implemented on August 9, 2022. With this one
The follow-up project followed the same approach as the audit in the year
2021.
Since 3 of 17The disputed entry relates to a website visit on April 9, 2021 and
was submitted to the Berlin Commissioner for Data Protection on August 10, 2021
Freedom of Information (BlnBDl) filed. The entry is therefore obviously part of the first
complaint action. The input is therefore obviously also the aforementioned
standardized and (at least partially) automated testing, which is the
Complainant carried out on behalf of NOYB.
3. Investigation by the BlnBDl
According to Article 57 Paragraph 1 Letter f of the General Data Protection Regulation (GDPR), it is the responsibility of the
Supervisory authorities deal with complaints from data subjects and the subject matter
to investigate the complaint to an appropriate extent. Against this background we have
The submission was used as an opportunity to view the website yourself on March 23, 2022 and the
document the situation encountered. The descriptions are from the input
partially confirmed.
When the website was accessed, the following banner was displayed at the bottom
Design has changed since the complainant was seen.
BOOTS BOOTSFTTFN
Would you like cookies?
store and/or retrieve "P-address, user ID, browser information). The data is used for personalized ads and content.
Advertising and
Incarceration measurements as well as to gain insights into target groups and product developments. By clicking on the “Reject cookies” link you can
refuse consent. More information can be found under .More information•,
The banner does not fundamentally block access to the page content, i.e. H. the content,
that are visible despite the banner can be clicked on. However, it will be about 1/3 of that
Website area covered by the banner and still displayed on all subpages,
as long as no decision has been made.
Contrary to what was stated in the input, we could not determine that the link, color and
Contrast design was changed. There was still a big button with the Be
"OK" was displayed under which there were links. However, the position of the
The “Reject cookies” link was changed. This was no longer included in the body text, but instead
directly under the button next to the “Settings” link.
We were able to determine that immediately when the call was made and before any
Interacting with the content of the website both sets cookies on our devices
as well as data flows to domains outside of mirapodo.de.
In addition, 22 cookies were from your own domain and 9 more from
mytoys.de, which is evident from the names of the cookies, among other things. also
Page 4 of 17 were used for analysis purposes. If you clicked on the "OK" button in the banner,
A total of 100 cookies were set on the visitor's device, including: from the domain of
adnxs.com, adsrvr.org, doubleclick.net, criteo.com, adform.net and theadex.com.
After all, we were only able to access the website based on the instructions that the company gave you
with a letter dated June 29, 2021, within the almost 40 DinA4 pages
Data protection declaration you will find a link labeled “here” to view the banner again
to access and revoke your consent.
When viewing the website, we checked other circumstances
data protection concerns have been encountered, which, however, are not the subject of the above.
input were.
In a letter dated March 29, 2022, we contacted the website operator with ours
Observations confronted and our assessment pointed out (see immediately under 11).On
our address was the banner, the integration of third-party services and the content of the
Privacy policy revised. After initially still having questions regarding the integration
individual third-party service providers passed, an oral consultation took place in January 2023
representatives of myToys.de GmbH. The website operator then has more
Changes etc. on the information texts, the duration of individual cookies and the
Website architecture made.
During a recent review of the website by us, we were able to identify the deficits that were the subject of the
o.g. Input were no longer reproduced. Meanwhile, when you access the web
A slightly different banner is displayed at the bottom of the page:
% More filters
winter shoes women; Brand shoe size color information a Gerst
personalized ads:
Would you like cookies? and click on the link
Consent .Additional roomFŽ for one to save
urtc.yot:ier to retrieve {iP-Aúresse. User information, browser information. Barley-
Advertisements and identifiers). is carried out for and around findings 'about Zietgrupper;
Winning and learning product developments. More information about consent iirkž.
and to
The banner contains three interactive elements labeled “Agree”, “Cookies
reject" and "More information". The button in the banner that gives consent
can be failed, works according to its labeling. The services provided when visiting
The website was loaded by the complainant could only be done after a request was issued
Consent can be established.
Since 5 of 17 there has also been a link labeled “Cookie Settings” in the footer of the website
implemented so that the second level of the banner can be called up again at any time and the
Consent given can be revoked by clicking on the “Reject all” button.
Finally, we received a binding confirmation that all data had been deleted
using the information provided by the complainant
database could be identified.
4. Cooperation of the supervisory authorities concerned
The European Data Protection Board approved it in September 2021 on the basis of
Art. 70 Para. 1 lit. u GDPR initiated a working group (“Banner Taskforce”) in which the BlnBDl
together with representatives of supervisory authorities from several other Member States
was involved (https://edpb.europa.eu/news/news/2021/edpb-establishes-cookie-
bannertaskforce_en).The exchange in the banner taskforce serves, among other things, to ensure that the NOYB
Complaints lodged with various supervisory authorities should, if possible, be carried out simultaneously
are treated and evaluated and thus the most uniform implementation possible
data protection requirements in the European Union are ensured. On the 18th
In January 2023, the results report of the Banner Taskforce was published (Report of the work
undertaken by the Cookie Banner Taskforce, https://edpb.europa.eu/our-work-
tools/ourdocuments/other/report-work-undertaken-cookie-banner-taskforce_en). In this
report
represents the common (minimum) consensus that the supervisory authorities have within the
the complex legal framework surrounding the use of cookies.
Il. From a legal perspective, we assess the facts identified as follows:
1. Right to lodge a complaint
In principle, every person can apply for a data protection agreement in accordance with Art. 77 GDPR.
Complain to the supervisory authority if that person's personal data is stolen from someone
other things, it may be processed unlawfully. The regulation states a
The express right to complain to a supervisory authority is therefore only available to natural persons
Persons whose data is processed in a form that the person either directly
is identified or at least can be identified directly or indirectly.
Those under 1.2. The backgrounds of the input shown make it questionable whether the
The process must be treated as a formal complaint within the meaning of Art. 77 GDPR. For it
There are indications of doubt as to whether the complainant even has a terminal device
was affected or whether a device provided by NOYB was used
Since 6 of 17 was. It is undisputed that the accesses and calls documented using the HAR archive
have taken place, but it can be questioned whether this is actually done on a device
of the complainant were made.
As a result, it cannot be determined with certainty whether actually
personal data of the complainant i. S.v. Art. 4 No. 1 GDPR were processed,
or whether it was rather data from a “laboratory device”. It is undisputed that the
Processes as documented by the HAR archive have taken place and data
were processed. However, it can be questioned whether the UlDs in the respective
Cookies that were stored were or rather were already assigned to a natural person
were generated as part of the automated testing process and therefore have no reference to the
complainant as a natural person.
Although the result remained unclear as to whether the personal data would be processed
of the complainant is in question, the matter will be treated as a complaint as a precautionary measure.
2. Examination standard
Using cookies and similar technologies, such as those regularly used on websites
information can be stored, enriched and enriched on the users' devices
to get managed. In practice, these processes often serve to influence individual behavior
Users - sometimes tracked across different websites and devices
and, if necessary, to create profiles about a person.
Regardless of the technical design or the purposes pursued
Collection and further processing of this information usually takes place in a uniform manner
perceived fact of life. Legally, however, there are two steps to take here
differentiate. Firstly, the storage and access to information in the
Terminal equipment and secondly the processing of personal data, which is often
the purpose of the use of cookies and similar technologies. The
The legality of this (subsequent) processing depends on the requirements of the
GDPR. The upstream technical processes - especially setting and reading
of cookies - but also affect the integrity of the end devices and thus fall
originally in the regulatory area of Directive 2002/98/EC as defined by the Directive
2009/136/EC amended version (so-called ePrivacy Directive).
a. Legal framework until December 2021
According to a 2019 assessment by regulators, it was for websites
relevant Article 5 Para. 3 ePrivacy Directive has never been adequately implemented into national law -
also not by the regulation contained at the time in Section 15 Paragraph 3 T MG: “The service provider
Since 7 of 17 may be used for advertising, market research or needs-based design purposes
Create telemedia usage profiles when using pseudonyms, provided the user
does not contradict this." Therefore, questions of application have arisen since the GDPR came into force
Related to the design of websites. The regulators had this before
Background in March 2019, an orientation aid for providers of telemedia (OH Tele-
medien 2019) was published, which was intended to help website operators comply with the legal requirements
implement requirements. The orientation aid revealed that the use of cookies
and third-party services on websites from the perspective of the supervisory authorities as a whole based on the
The requirements of Article 6 Para. 1 GDPR had to be measured.
b. Legal framework after December 2021
With effect from December 1, 2021, Art. 5 Para. 3 ePrivacy Directive was replaced by Section 25 of the
Telecommunications Telemedia Data Protection Act (TTDSG) implemented into German law.
Since then, its requirements must be taken into account when using any technology
whose information is stored in or read from end devices. With
In view of the new legal situation, the OH Telemedien was completely revised in 2019 and a
new guidance published by the supervisory authorities (OH Telemedien 2021
Version 1.1, available at https://www.datenschutzsammlung-
online.de/media/oh/20221130_OH Telemedien_Version_1.1.pdf).
c. Processes at the time of entry
The complaint relates to a visit to the website on April 9, 2021 and thus
a point in time when the TTDSG had not yet come into force. An assessment of the
The website visit at that time can therefore only be based on the requirements of the GDPR
take place.
The use of cookies and subsequent data processing described in the above-mentioned. Input criticized
and which were partly confirmed by our own website inspection
advertising-related purposes. These processes required prior consent
the website visitors. Such consent is only effective if
Requirements in accordance with Article 4 No. 11 GDPR are met. Accordingly, the declaration of intent must
voluntarily for the specific case in an informed manner and unambiguously in the form of a
Statement or other clear confirmatory action has been made.
Article 7 GDPR also provides further conditions, including: for the revocation of consent.
The questions underlying the procedure included: Subject more comprehensive
Coordination of the European and German supervisory authorities, from which the
The assessment criteria relevant for supervisory purposes can be derived as follows.
(1) Examination standard for “violation types A, C, D and E”
Since 8 of 17 After your review, the displayed banner did not give effective consent
obtained because there was no reject option at the first level ("Violation Type A")
Link design (“Violation Type C”), the button colors (“Violation Type D”) and the button contrast
is misleading (“violation type E”). These violation types all concern the design of the
Banners on the disputed website.
From the perspective of the supervisory authorities, there is no rejection function at the first level of a banner
generally required, but only if users use the consent banner
need to interact in order to continue visiting the website. Unless through the banner no
Website areas are blocked and the content is accessible, therefore no action by the website
If users are required, a rejection option at the first level may be unnecessary.
Likewise, a rejection function at the first level is not necessary once consent has been given
can be given at another level. It is therefore a question of design
Consent banner and an individual case analysis (OH Telemedien 2021 Version 1.1 Rn. 122).
The requirements for the design of the decline option are not stated literally
the law, but is derived from the individual elements of an effective
Consent, in particular the fact that it is voluntary, informed and
must be done unambiguously.
Whether an unambiguous declaration of intent exists when end users give their consent
via a button also depends on whether they have their true will
could express directly or clearly recognize how the true one was
will can be expressed. The evaluation therefore takes into account how
Buttons for giving consent and further options for action are labeled and
are designed and what additional information is provided.
In order to be able to prove that users have made an unambiguous declaration of intent
have submitted, they must be offered at least such selection options,
whose communication effect is equivalent. If a selection option is presented precisely and
it creates an immediate effect (e.g. an “Accept All” button) while
the other option is kept nebulous and does not allow the true contrary will
with the same effort, there is a deficit of effect and information. One like this
Deficit is suitable for encouraging users to not base their decision on their own
clear will, but only according to which option the consent query is chosen
definitely finished faster. There will be no equivalents for the users
Options for action are offered to grant or reject consent
The requirements for effective consent are not regularly met (OH Telemedien 2021
Version 1.1 Rn. 44 ff.).
Page 9 of 17 When assessing whether the consent was given voluntarily, it must first be clarified whether
There was at all an obligation for the end users to make a declaration, or
whether they could have remained inactive. It can be assumed that such coercion
exists if a banner or other graphic element is used to request consent
Access to the website as a whole or parts of the content is obscured and the banner is not
can simply be closed without a decision.
The characteristic of voluntariness is noticeably influenced when the rejection of all
Access requiring consent means measurable additional effort for end users.
Such additional effort is e.g. B. generated by the rejection only on a second banner
level and therefore only possible with a higher number of clicks (compared to consent).
mung). If users do not respond to a consent query when accessing a telemedia offering
If you can simply ignore it because it obscures the content of the offer, it is therefore regularly missing
on the voluntariness of consent if the refusal is granted with a higher
effort, e.g. B. in clicks and attention (OH Telemedien 2021 Version 1.1
54, 56 f.).
In cases where there is an interactive element at the first level of the banner with which
Since consent can be refused with one click, this alternative is crucial
is clearly recognizable, easily perceivable and unmistakable. The possibility, none
Giving consent must clearly be considered an equivalent alternative to the “Consent
grant". What is crucial is that the alternative to consent as such
can be perceived by users. For example, it is not sufficient if:
the option to refuse is displayed outside of the consent banner on the website
or this in the running text of the banner without clear visual or linguistic emphasis
Identification takes a back seat while the possibility of granting consent
appears prominently as a button outside of the body text. Also an identical button
However, the option is only visible after scrolling through the consent text
for consent is visible directly at the beginning of the banner is not an equivalent alternative
easily noticeable (OH Telemedien 2021 Version 1.1 Rn. 132 ff.).
With regard to the criticized violations types C, D and E, it is therefore relevant whether 'despite the
selected design, color and contrast settings can be recognized by website visitors,
that there is a possibility to use the banner at the first level without giving consent
close.
The criteria for determining when design options unduly influence users, so that
can no longer be assumed to be a voluntary and unmistakable act
o.g. Banner Taskforce stated in its findings report as follows:
Since 10 of 17 TYPE D & E PRACTICES: "DECEPTIVE BUTTON COLORS" &
"DECEPTIVE BUTTON CONTRAST"
lt appears that the configuration of some cookie banners in terms of colors and contrasts of the
buttons (contrast ratio between the accept button and the backeround" type D practice) could lead
15- to a Clear highlight of the "accept all" button over the available options,
The taskforce members agreed to examine type D and E practices together as the issues are linked
and raise similar points of discussion,
16.
The task force members agreed that a general banner standard concerning color and/or contrast
cannot be imposed on data controllers, in order to assess the conformity of a banner, a case-by-case
17. Verification must be carried out in order to check that the contrast and colors are not used
misleading for the users and do not result in an unintended and, as such, invalid consent from therm
As a result, it was also agreed that a case-by-case analysis would be necessary to address specifically
casese although same examples of features manifestly contrary to the ePrivacy Directive provisions
have been identified
Based on concrete examples, the taskforce members took the view that at least this practice could be
manifestly misleading for users:
18- an alternative action is offered (Other than granting consent) in the form of a button where
the contrast between the text and the button background is so minimal that the text is
unreadable to virtually any use
While the design choices above are considered problematic, the taskforce members reiterated that
each specific cookie banner needs to be assessed on a case-by-case basis,
19-
The statements underline that there is no general standard with regard to the
design of colors and contrasts, but must always be examined on a case-by-case basis.
The members of the task force were of the opinion that only then would a clearly inadmissible
Design exists if a button is displayed as an alternative to granting consent,
where the contrast between the text and the background of the button is so low that the
Text is unreadable for virtually every user. In all other cases an individual examination is required
to be carried out in which it must be clarified whether the users have been blatantly misled.
This corresponds to the assessment standard that the German supervisory authorities already use
Paragraph 125 of the above Orientation aid telemedia have described: “There is no general one
Standard for the design of consent banners in terms of color, size or contrast,
so that there is a certain amount of leeway for those responsible. A behavior control through the
Design, which is commonly referred to as nudging, is therefore not generally impermissible. She
However, it finds its limits where the requirements for effective consent are met
of Art. 4 No. 11 and Art. 7 GDPR are no longer fulfilled. If this limit is exceeded
"Inadmissible nudging can be assumed."
(2) Examination standard for “Violation Type K”
Page 11 of 17As a condition of effective consent, Art. 7 Para. 3 GDPR also requires the following:
“The data subject has the right to withdraw their consent at any time. The revocation
“Consent must be as simple as giving consent.”
According to your assessment, withdrawing consent was not as easy as giving it
the website operator did not activate the option, a small, permanently visible
to display a "floating" symbol with which the banner can be called up again
(“Violation Type K”).
The European supervisory authorities apparently share this view
following statements from the results report of the Banner Taskforce:
9/31 TYPE K PRACTICE: "NO WITHDRAW ICON"
It appears that where controllers provide an option allowing to withdraw consent, different forms of
options are displayed. In particular$ some controllers have not chosen to use the possibility to show a
small hovering and permanently visible icon on ali pages of the website that allows data subjects to
32. return to their privacy settings, where they can withdraw their consent.
Website owners should put in place easily accessible solutions allowing users to withdraw their
consent at any time, such as an icon (small hovering and permanently visible icon) or a link placed on
33. a visible and standardized place.
The ePrivacy Directive's reference to consent in the GDPR includes both a reference to the definition of
consent (article 4 of the GDPR) as well as to the conditions of it (article 7 of the GDPR)
34.
In addition to the requirements for the collection of consent to be valid in accordance with the GDPR
andunderArticle5(3)ePrivacythreeadditionalcumulativeconditionsaremandatory(i)thepossibility
to withdraw consent, (ii) the ability to withdraw consent at any time, {iii) withdrawal of consent must
be as easy as to give consent.
35.
However, website owners can only be imposed that easily accessible solutions are implemented and
displayedonceconsenthasbeencollected,buttheycannotbeimposedaspecificwithdrawalsolution,
and in particular to set up a hovering solution for the withdrawal of consent to the deposit of cookies
and other trackers. A case-by-case analysis of the solution displayed to withdraw consent will always
be necessary. In this analysis, it must be examined whether, as, a result, the legal requirement that it
is as easy to withdraw as to give consent is fulfilled,
This corresponds to the assessment standard that the German supervisory authorities already use
Paragraph 60 of the above Orientation aid telemedia have described: “If links
Direct the user directly to the option of revocation and currently none
If searches are necessary, a directly discoverable revocation option can also be found in one
Data protection declaration can be placed."
3. Evaluation in the specific case
The data protection assessment is based on the current status and design of the
Internet presence as shown in the complaint documents and ours
Page 12 of 17 has (partially) confirmed my own viewing of the website. The above Findings show that
Processes requiring consent when the complainant visits the website
took place.
It can be left open whether these processes take place before or without interaction or only after clicking on the
Buttons "Accept" took place. Because we could not determine that the design of the
Banners was clearly suitable for obtaining effective consent for this.
For all website visits made by the complainant or ourselves
A banner was displayed on mirapodo.de, the design of which made it possible to use the same banner
Effort (1 click) to give or refuse consent. Users were able to log in there
You can decide to access the contents of the website without any additional effort
to give consent. However, the complainant has - based on the
Banner design during his visit - complains that the consent option is colored,
functional and clearly highlighted in terms of dimensions. Consent could be obtained via
a large red button will be issued, while rejection will not have a colored one
highlighted link in the continuous text was possible.
It turns out to be of limited importance whether this integration of the link into the banner text is ensured
that consent was given voluntarily and unambiguously. After the above
The standard of review presented is crucial that the alternative to consent as such
can be perceived by users. It is not sufficient if the
Possibility to reject in the running text of the banner without clear visual highlighting or
linguistic identification takes a back seat. However, the link was in the text
at least clearly labeled and underlined (“reject cookies”)
It should also be taken into account that neither the German supervisory authorities nor the courts are involved
decision-relevant point in time, d. H. in April 2021, not yet to such
had expressed design details. Rather, the focus was on the supervisory authorities
Statements at the time were intended to raise awareness of the fact that website operators
any functional one
Provide an option at the first banner level to refuse consent.
From the perspective at the time, the design cannot clearly be viewed as a violation
become.
The website operator has this link, which was previously in the running text, to the address
of the complainant visually shifted before the complaint was filed. He is
Since then it has been directly under the red button. We could not determine that the chosen
Design, color and contrast settings are a voluntary and unambiguous decision
exclude. The alternatives are (at least) since the redesign as such at a glance
recognizable. All interactive buttons are located outside the body text and stand out
stands out from the white background. The fact that the elements do not change this does not change anything
Since 13 of 17 are presented completely identically. The test standard here is, as shown in 11.2.c.(2), the
actual perceptibility, i.e. H. whether the options can be recognized as such. This is
In this case, yes, even if the option to reject is not framed or otherwise
highlighted in color.
The evaluation must also take into account the expectations of average users,
who are used to having all the options available due to banners currently available on the market
can be found under the banner text and are often shown in different colors. In which
The banner to be evaluated here also does not need to be scrolled. That works too
Alternative to consent is not in the running text or is located somewhere else,
where this is not expected. Finally, the rejection is caused by the different
Color design is also not complicated. The decline option is where
Users expect.
A certain amount of attention from users may also be required.
Otherwise, all requirements for informed consent would also be included
Running on empty. It is therefore reasonable for average users to use the various options
read - otherwise users would also have two identically designed alternatives
you don't necessarily have to choose the reject option.
However, it proved to be problematic with the previous one as well as the modified one
Design so that the consent button only had the label “OK”. What significance
resulting from clicking the button was not clear from the name "OK".
nor was the function clearly explained in the text of the banner. This design
could therefore not ensure beyond doubt that there was unambiguous consent for the
Processes that took place after clicking the "OK" button were obtained.
Regardless of the design of the selection options, we could not determine that the
Information provided in the banner and in the privacy policy for everyone
Processing processes ensure that consents are informed. The to
The information provided was sometimes incomplete or contradictory
regarding the processing purposes, the legal basis and third-party service providers.
For example, in the banner on the fifth level, consent was required
“Marketing” lists a cookie called “fbp” that is used by Facebook.
According to the information in the data protection declaration (there under 4.4.6.1.), services were provided by
However, Facebook is based on legitimate interests. These contradictory statements left
cannot be clearly resolved based on the information on the website. At the same spot
There was also information about a cookie called "FP Nitro", which is located under
First-party cookies were listed, but came from the domain yomonda.de. About this
Cookie, which was also set on our device, was simply told that it was used
Since 14 of 17 “Marketing” and will be set for 3660 days (and therefore over 10 years!). In the
There was no further information about this in the data protection declaration. The ones from this
The resulting information deficits or ambiguities influence the level of information
Consent and justify insufficient information according to Articles 13 and 14 GDPR.
Finally, the possibility of revoking the consent given was designed in such a way that several
Intermediate steps and searches were required. We first had to get the data
Call up the privacy policy and then click on the -36-page privacy policy link
can be found with the designation “here” in order to call up the banner again or
to declare the revocation (under subsection 4.1 or 4.4 of the data protection declaration). That these
We only discovered that this possibility even exists because the website operator told us so
The complainant explained in a letter dated June 29, 2021. Such a search process as
An intermediate step is to make the revocation more difficult, which is by no means as easy as this
the granting of consent using a button in the banner. The requirements of Art. 7 Para. 3 GDPR
were therefore not fulfilled on the website.
III. Result
As a result, the design of the website corresponded with regard to the use of cookies
subsequent data processing does not comply with the legal framework applicable at the time
the input applied. However, the website operator immediately responded to our request
reacted and took measures to remedy the deficits. As part of ours
We therefore use our discretion to refrain from taking further supervisory measures
Art. 58 Paragraph 2 GDPR. However, we reserve the right to take further supervisory measures if a
Recurrence is detected.
The subject matter of the above We therefore consider the complaint to be resolved. As far as that
Design of the website, additional deficits in the course of the review
has disclosed, the proceedings will be continued ex officio.
Legal appeal
An action against this decision before the Berlin Administrative Court is admissible. she is
within one month of the announcement of this decision at the Berlin Administrative Court,
Kirchstraße 7, 10557 Berlin, in writing - also as an electronic document using a
qualified electronic signature (GES) - or for the recording of the clerk or
to the clerk. It should be noted that in writing
The deadline for filing a lawsuit is only met if the lawsuit is filed within this deadline
administrative court has received.
XXXXXXX
Since 15 of 17
