Cookie banner and consent

Most important points

• Cookie banners are the familiar information and consent windows on websites that ask users to consent to the setting of certain cookies (and similar trackers). They are required by law (in particular the EU Directive and the German TTDSG) as soon as cookies that are not technically necessary are used, for example for tracking, advertising and analytics.

• Consent requirement: Since court rulings and the TTDSG (Telecommunications and Telemedia Data Protection Act), it is clear that cookies that are not absolutely necessary for the operation of the site may only be set if the user has actively consented (opt-in). Simply continuing to surf does not count as consent, and ticked boxes are not permitted.

• Design: Cookie banners must clearly explain what you are consenting to (e.g. “We use cookies for personalized ads and web analytics.”). There must be a real choice: Rejecting must be just as easy as accepting (otherwise there is a risk that consent is ineffective as it is not voluntary).

• Many sites offer multi-level settings (“cookie settings”) where users can select individual categories (statistics, marketing, etc.). Legally, consent should be informed and granular – users should be able to refuse certain purposes while consenting to others.

• Technically necessary cookies (e.g. shopping cart cookie, login session) may also be set without a banner, as consent is not required here. In the cookie banner, these are often separated out as “essential cookies”, which are always active.

• Documentation: The consent given must be recorded (who consented to what and when) in order to be able to prove it in case of doubt. Many consent management tools do this automatically. There must also be a revocation option – users should be able to change or withdraw their consent later (e.g. via a “cookie settings” link in the footer).

• The topic is important for start-ups because violations can result in warnings from data protection authorities. Annoying or opaque banners can also impair the user experience. It is therefore important to find a legally clean and user-friendly consent mechanism.

Legal basis: ePrivacy and GDPR

The obligation to use cookie banners stems primarily from the EU ePrivacy Directive (also known as the “Cookie Directive”) and its implementation in national law. Germany enacted the TTDSG in 2021, which regulates in Section 25 TTDSG: The storage of information in the user’s terminal device (which includes cookies) is only permitted if either

a) it is technically necessary for the provision of the service, or
b) the user has consented.

The GDPR often applies at the same time: Many cookies collect personal data (IP addresses, user profiles). The GDPR requires either consent or another legal basis for such processing. For tracking etc., however, the supervisory authorities do not accept any legal basis other than consent (legitimate interest is usually rejected in this context).

Ergo: If you want to use Google Analytics, Facebook Pixel & Co, you need the prior consent of your visitors.

Which cookies require consent?

Example of “technically necessary”: Session cookies that maintain login status; language settings; shopping cart cookie in the store; cookies for security (e.g. CSRF token). These are required for the website to function and for the user to perform the requested action. You can work without banners here, but you should provide information about this in the privacy policy.

Example subject to consent:

• Analysis cookies (Google Analytics, Matomo (with cookies), etc.) because they track behavior.

• Advertising cookies (Google Ads, Facebook Pixel, affiliate tracking).

• Personalization cookies (to tailor content/recommendations to the user).

• Cookies from external media (e.g. YouTube video embeds often set cookies for tracking).

Scripts that do not set classic cookies but do similar things (local storage use, fingerprinting) also fall under “storing information in the end device” -> also requires consent.

The banner must therefore at least cover these non-essential items.

Design of the cookie banner

There are various designs, but the following points are central to legal certainty:

• Clear language: The user should understand what they are saying “yes” to. So not just “We use cookies, do you accept?” – Better: “We use cookies and similar technologies to optimize our website, show personalized content and ads and analyze traffic. We need your consent for this.”

• Selection options: At least “Accept” and “Reject” should be available. It is bad if only “Accept” is bold and visible and “Reject” is hidden in the body text. The data protection authorities criticize so-called “nudging” designs that practically urge users to accept. Ideally, both buttons should be of equal value.

• Details accessible: There should be a link or button “Settings” or “Show details” that lists the individual cookies/categories and, if applicable, names the provider and purpose.

• No pre-check: Checkboxes for categories must not be ticked in advance, except for essential categories that run without consent anyway. For the others, the user must actively check the boxes themselves if they wish.

• Do not redirect without action: In the past, some sites had “If you continue surfing, you agree”. This is not enough. The banner must require a conscious action. Some also block all scripts and content until a choice is made. This is legally safe, but user-unfriendly. Many make a compromise: default load nothing except essentials, banner below or modal dialog – if user ignores and simply scrolls, tracking remains blocked (or sometimes room for interpretation is used: scrolling as consent – but the ECJ has actually denied this). It is better to really wait for a click.

• Revocation: According to the GDPR, consent must be as easy to withdraw as it is to give. Practical: somewhere permanently accessible “Change cookie settings” – often in the footer – so that users can later reject cookies that they may have initially accepted.

• Logging: The consent tool should save who clicked what and when. In the event of an audit, you can show that you can prove that user X has consented. The data should be stored in compliance with data protection regulations (ideally anonymized or only indicators).

Consent management platforms (CMP)

Many websites use ready-made CMPs (OneTrust, Usercentrics, Borlabs Cookie, etc.) that map these requirements and regularly install updates when there are legal changes.

It is usually worthwhile for a start-up to rely on such a tool because reinventing the wheel is laborious. However, it sometimes costs fees (some versions are also free).

Important: All scripts that set cookies must be blocked initially. CMPs only load these scripts once “Accept” has been clicked. This requires technical integration (e.g. Google Analytics code is injected via the CMP or provided with a query).

Effects on users and conversion

Cookie banners have the side effect that many users simply click “decline” if it is readily available, or only allow the bare minimum. For marketing, for example, this means that many do not have permission to be tracked – analytics data is incomplete, remarketing reach decreases. This has challenged online marketing in recent years.

Some companies try to make the banner as discreet as possible and in CI in order to get more opt-ins. But legally you can’t hide it.

There is also the “cookie-less tracking” approach using purely server-side logging etc. – but this also involves legal gray areas.

No consent requirement for purely technical cookies

Some sites simply ask “Cookies okay?” across the board. This would not actually be necessary if you do not have any tracking cookies. For a very simple website that only has session cookies, you don’t need a banner. It can even be confusing.

Therefore: Before implementing, check whether you really use cookies/trackers that require it. Perhaps you can manage without Google Analytics (e.g. with a data protection-friendly service that works without cookies – there are tools that only track aggregated and anonymously, which can then be GDPR-compliant without consent if there is no personal reference).

Penalties and warnings

In recent years, data protection authorities have increasingly inspected websites. There have been cases where websites in the EU have had to pay hefty fines because they used Google Analytics without consent, for example (France and Austria had notices, albeit also partly due to data transfer to the USA).

Warnings from competitors or associations are also possible, as it can be argued that a breach of cookie consent is a breach of competition law (because of unfair data practices). However, this has not yet been decided by the highest court, but there are initial tendencies that it is possible to issue a warning.

For start-ups, this means that proper cookie consent is not just “nice to have”, but essential in order to avoid any legal risks. What’s more, the public now honestly expects this mechanism (even if it is annoying).

Conclusion

The cookie banner has become an integral part of web usage – even if it is sometimes annoying, it fulfills an important purpose: transparency and control for the user over tracking and data collection. For operators, on the other hand, it is a legal obligation. It is important not to circumvent this or implement it half-heartedly: Consent must be truly voluntary and informed. A well-configured cookie banner manages the balancing act of fulfilling the legal requirements and giving the user a clear choice without pushing them in one direction with dark patterns. A clean solution saves you from possible sanctions and at the same time shows that you care about your visitors’ data protection.