Administrative court: Cookie banner must contain "Reject all" button

Lower Saxony's data protection officer Denis Lehmkemper can report a legal victory in his long-standing battle against manipulatively designed cookie banners. The Hanover Administrative Court has confirmed his legal opinion in a judgment of March 19 that has only just been made public: Accordingly, website operators must offer a clearly visible "reject all" button on the first level of the corresponding banner for cookie consent requests if there is also the frequently found "accept all" option. Accordingly, cookie banners must not be specifically designed to encourage users to click on consent and must not prevent them from rejecting the controversial browser files.

Otherwise, the cleverly obtained consent would be ineffective, explains the Lower Saxony supervisory authority with reference to the reasons for the ruling. This would constitute a violation of the Telecommunications Digital Services Data Protection Act (TDDDG) and the General Data Protection Regulation (GDPR).

In the case, the Neue Osnabrücker Zeitung (NOZ) had taken legal action against an order issued by Lehmkemper (case reference: 10 A 5385/22). The inspector demanded a redesign of the Lower Saxony media company's cookie banner, as it did not obtain effective, in particular informed and voluntary consent before setting the browser files and subsequently processing personal information. NOZ, on the other hand, took the view that consent was effectively obtained. It did not process personal data. Moreover, the data protection authority was not responsible for monitoring compliance with the legal provisions on setting cookies.

Many legal violations with the NOZ banner

The 10th Chamber of the Administrative Court has now ruled that rejecting cookies on the controversial banner was much more complicated than accepting them. Users were constantly forced to give their consent by new requests. The headline "optimal user experience" and the caption "accept and close" were misleading, the judges stated. The term "consent" was completely missing.

The number of partners and third-party services involved was also not clear, the chamber criticized. References to the right to withdraw consent and data processing in third countries were only visible after scrolling. Overall, users had not given informed, voluntary and unambiguous consent within the meaning of the GDPR.

Data protection officer hopes for a signal effect

Lehmkemper believes the ruling strengthens users' rights. "The vast majority of people are probably annoyed by cookie banners," says the data protection expert. However, these fulfill an important function for maintaining privacy on the internet. This is precisely why the supervisory authorities are "campaigning for a real choice in the design of banners". He hopes that "the ruling sends a signal to as many providers as possible and thus helps to implement consent solutions that comply with data protection regulations".

The Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) stated in a guidance document at the end of 2021: If the user is only offered an "Accept all" button and additional options such as "Settings" or "Further information" for cookie banners, this is not legally compliant. This is because the "communication effect" of the two approaches is not equivalent. Furthermore, the use of a consent management platform (CMP) alone does not automatically obtain consent within the meaning of the law. The Bavarian State Office for Data Protection Supervision recently carried out a random, automated review of website operators and found many solutions that were not legally compliant.

(wpl)