How can you recognize a good cookie consent tool?
The market for cookie consent tools has become very large. Internationally, providers are sprouting from the ground and promise to solve the cookie problem. How can you tell which tool is suitable for your own website or that of your customers and which is not? How can you recognize a good cookie consent tool?
What does a cookie consent tool have to do? To help you decide, we have compiled the most important points for you. Make the user comparison: For orientation, you will find an Excel table at the end of the page. Check off the most important points if you are still looking for your favorite tool.
1. Store data in compliance with DSGVO
The first and most precarious point: the data that the cookie consent tool provider gets to see basically concerns the browsing history of the entire site. Since the script has to be forcibly included, the providers may get an extremely deep insight into your website performance. The provider of your future cookie consent tool should therefore only store the data on servers that are
- are located within the scope of the GDPR, preferably Germany
- not be hosted by one of the big cloud providers offered by companies from the U.S
The background is as follows:
Since the ECJ ruling of 16.07.2020, it is clear that the so-called Privacy Shield is ineffective. The transfer of personal data to the USA is no longer legally compliant under this shield. This simply means that "most US service providers may not be used with it"(https://www.tigges.legal/jus-letter-datenschutz-eu-us-privacy-shield-unwirksam.html)
In addition, the so-called Cloud Act(https://www.heise.de/select/ix/2018/7/1530927567503187) enables the US authorities to access stored data even if the storage does not take place in the USA at all. In other words, even if the servers of the American cloud providers are located in Germany, there is still the potential for the US authorities to gain access.
Taken together, it currently appears impossible to store personal data such as consent data directly on servers of US providers.
2. Documentation obligation must be fulfilled.
The GDPR imposes a documentation obligation for the storage of the consent(s) given. As a website operator, you must be able to prove at any time that visitor X has given consent Y. Ideally, this is done in a searchable file. Ideally, this is recorded in a searchable log file - so that the operator can verify the consent at any time.
Article 5 (2) of the GDPR defines "accountability". Controllers must be able to demonstrate compliance with certain data protection principles for which they are responsible. Art. 24 (1 ) GDPR specifies that data controllers are obliged to provide evidence that data processing is carried out in compliance with the GDPR.
Unfortunately, this means that many simple cookie banner scripts fall by the wayside: A corresponding log file that is appropriately anonymized and can only be de-anonymized at the moment of the request with the help of the requestor is usually not available.
3. Simply change or revoke
The cookie consent tool must offer visitors the option to change or revoke their current consent. And just as easily as they gave their consent. Optimally, a button is already provided for this in your Cookie Manager, which you can simply have displayed. This should then open the Consent screen again at the push of a button.
This is another point where many simple cookie scripts fail: They do not offer visitors the possibility to change or delete the given consent afterwards. This only works if the data is correctly stored in the visitor's browser and on the server (see point 2). Therefore, when making your decision, pay attention to whether the tool in your comparison list fulfills this function.
4. Sufficient description and detailed info
The GDPR stipulates that your visitors must be able to make an informed decision. This means that you, as a website operator, are obliged to provide as exhaustive information as possible about every cookie, script and other data integration used.
For this purpose, here is a comparison between an appropriately informative mask and one that says nothing at all about the use of the data. It should be obvious which of the masks can be used as a basis for an informed decision and which cannot. On the left the simple mask, on the right the detailed one.
5. Tag Manager functionality not only blocking
There are still many cookie tools, especially older ones, that do not block or disable the scripts used on your site at all - these are eliminated because they are completely unsuitable for applicable law. You can detect this if you run your site through an online scanner. If any abnormalities are still reported, your Cookie Consent Tool is not working correctly.
A particularly important feature, which many other providers do not provide, is the use as a tag manager. This means, for example, you do not enter your tracking or other scripts in the page, but directly via the Cookie Consent Tool. This is because, as a matter of principle, pages must be designed to be data-saving. This means that as long as there is no effectively granted consent, no cookie or tracking script may be set.
If, for example, the consent screen is not displayed or cannot be displayed and the tracking or other scripts start without consent, exactly what the law wants to prevent happens. For this reason, the scripts should not be blocked, but should only be included when a Consent has been granted for them.
Unfortunately, this can often only be achieved with great effort or not at all, especially in the case of modular systems. Therefore, many use the blocking principle as a stopgap solution. As long as you have full control over it, you should use the tag manager principle - whereby the Google Tag Manager is not meant here.
6. Support
If problems occur - and with more complex sites this can happen from time to time, especially in connection with individual scripts and solutions - you need a support that helps you, speaks your language and where you can actually call. Therefore, check in advance whether a corresponding support is available.
And check if you can deactivate the Consent mask at the push of a button in case of problems when no support is available!
7. Download version - on-premise option
If you run your website yourself and do not rely on a modular system, then you usually also have the option of installing additional software products on your hosting account or server.
If that is given, you should also use this option and run the cookie consent tool of your choice locally! This way, all your data will remain on your server and you will keep full control over it.
Check which Cookie Consent Tool gives you the option to install it on your own server as well. Minor spoiler: There are very few!
8. Price
The last and of course not insignificant factor of your decision for a cookie consent tool is the price. Free is of course always the best at this point - but free is usually not free after all. You have to calculate time for it, for example: For the integration, the setup, the test of your site and all functionalities.
This can take hours, if you have to adapt program scripts, fiddle with templates, maybe you have to call in the agency again, which results in further costs etc.
Ideally, you only have to enter a line of Javascript via the interface of your CMS/shop system, save it and then it is already integrated. The configuration should ideally also take place via an interface, so you can save time and costs and get the setup behind you quickly.
When buying, make sure that such a solution is possible.
Interested?
Talk to us - here you can use our contact form. Or call us at 0228 629 17 642. We look forward to your inquiry!