Cookie banners: 9 good practice tips from the German Government

The German federal government has published “good practice” guidelines on cookie banners. German data protection authorities are particularly vigilant, so this guidance is a valuable resource to help build consumer trust and comply with the law.

We’ve picked out nine essential highlights from the guidance to help you get cookie consent right.

First layer: Basic information and choice

The guidance addresses each “layer” of a cookie banner. The first layer is what people see when they first visit your website. People can access the second and third layers by interacting with the banner.

1. You don’t need cookie banners for non-essential cookies

You must inform people about how you use cookies. But if you only set “essential” cookies, you don’t necessarily require a cookie banner.

The guidance states that you should still tell people about essential cookies, but you can do so in a privacy notice rather than via a cookie banner if you prefer.

Note that the definition of “non-essential” cookies is very broad and can cover cookies used for marketing, analytics, and even security.

2. Provide basic cookie information on the first layer

The first layer of your cookie banner should provide some concise information about cookies, specifically:

• The types of cookies you use
• Your purposes for using cookies
• People’s choices around cookies
• The right to withdraw cookie consent.

You should include more detailed information in your cookie banner’s second and third layers.

3. The first layer must provide “accept” and “reject” options

The first layer of your cookie banner should always include options to “accept” and “reject” all cookies, plus a button or menu that allows people to make more granular choices.

4. You can offer customization on the first or second layer

If you set a variety of cookies, your cookie banner’s first layer can either:

• Provide a button that takes people to the next cookie banner layer, where they can customize which cookies are allowed, or
• Provide a menu that lets people customize cookie options on the first layer.

For example, along with “accept all” and “reject all” options, you can provide a way for people to toggle analytics, marketing, or performance cookies “on” or “off”. The default setting should be “off”.

Alternatively, you can provide a “settings” or “adjust” button to take people to the next layer.

5. Your design and language must be clear and fair

Throughout your cookie banner, the guidance states that you should use language and design that is “informative, fair and consumer-friendly and not… biased or designed to manipulate or mislead consumers”.

Using “dark patterns” (manipulative design features) can annoy or alienate your visitors and could be illegal.

Second and third layers: Detailed information and customization

The second and third layers of your cookie banner can provide more information about your use of cookies and allow people to make more detailed choices about which cookies they want.

6. Use your second layer to describe your purposes

As noted, your cookie banner should provide people with granular choices about which cookies they accept, and you can include this on your first or second layer.

One way of presenting this choice is via a series of buttons to toggle cookies on or off, each labelled according to the purpose of the cookies. For example:

• Marketing cookies: These cookies help deliver personalised ads and can be set by us (first-party cookies) and other companies (third-party cookies). These cookies are used to create a profile about you based on your inferred preferences that will be shared with advertising partners.
• Analytics cookies: These cookies help us understand how visitors use our website. They can track which buttons you press, which links you follow, and what browser and device you are using. This information will be shared with our analytics provider.

You can also integrate drop-down menus to provide further choices. For example, to allow people to refuse third-party marketing cookies while accepting first-party marketing cookies.

7. Use your third layer to offer choices around vendors

Your cookies likely share people’s data with a network of vendors and advertising partners. You should give people a choice about which vendors receive their personal data.

The third layer of your cookie banner should list all the possible recipients of cookie data and enable people to exercise consent against each of these recipients. You should also disclose the purposes for which each vendor receives personal data.

The guidance recommends providing the following information about each vendor:

• The relevant type of cookie or other tracking technology (e.g. pixels, fingerprinting methods).
• The name, address and website of the relevant vendor.
• How long the cookie and its associated data will be stored.
• Details of any transfers of data to the vendor.
• Details of any relevant international data transfers and the safeguards employed.

This is a lot of information, and it’s important not to overwhelm people. As such, some of the information can appear under the vendor’s name as a “drop-down” menu.

Information about vendors can also be displayed underneath the relevant cookie purposes on the second layer rather than as a separate list on the third layer.

After the cookie banner

The guidance also considers what should happen after a visitor interacts with—or ignores—your cookie banner.

8. Don’t request consent again for six months

The guidance emphasizes that if a visitor does not interact with your cookie banner, you should not set any cookies on their device. This includes when a visitor scrolls past or closes the cookie banner without actively clicking “accept”.

If a person accepts or rejects consent, the guidance recommends that you store their preference and not request cookie consent again for at least six months.

9. Make it easy to revoke consent

Under the GDPR, people have an absolute right to revoke their consent, and revoking consent should be as easy as it was to give consent.

To enable visitors to revoke their consent, the guidance recommends having a cookie icon “always visible at the bottom of the website”, which stays in place as visitors scroll through a page and navigate the website.