Thomas Fuchs, Hamburg’s Commissioner for Data Protection and Freedom of Information (HmbBfDI), informed Google’s German subsidiary that the consent banners on its search pages and on YouTube are not currently compliant with European data protection requirements. This came in a statement on April 5th (in German), though pressure on Google has been growing to revise its cookie banners and ultimately its ad business model.
A large number of affected users have complained to the HmbBfDI about Google’s cookie banners, Fuchs reports. For example, Google’s user interface enables users to consent to processing of all personal data collected via all of the tech giant’s sites and services by clicking on the “I agree” button. However, anyone who does not want to consent to this only has the option of painstakingly refusing the settings for each data or service use individually via a separate “Customize” page.
“That’s why it’s of great importance that everyone who surfs the Internet must also have the option of being able to reject the use of their data, especially for advertising purposes, right at the first level.” Fuchs announced that he would now also approach Facebook (in German), and that he had also sent the request to “media houses” as part of other ongoing complaints procedures. The German headquarters for both Google and Facebook are also located in Hamburg.
HmbBfDI considers the process to reject Google’s processing of personal data to be considerably more time-consuming than, and not equivalent to, the process to consent to it. Thus, the rejection procedure does not comply with Germany’s Telecommunications Telemedia Data Protection Act (TTDPA/TTDSG) or the European Union’s General Data Protection Regulation (GDPR).
“Consent must be in accordance with the beneficiaries’ actual intent,” Fuchs clarified. “They must be able to exercise it without manipulation or influence. This is only the case if both consent and rejection are equally possible.” A “reject all” button must also become standard for cookie banners.
Fuchs has not yet threatened sanctions, as he pointed out that Google had already expressed its willingness to provide “an equivalent rejection alternative in a timely manner”in its initial response. In practice this would mean a “reject all” option (like a button) comparable in appearance and accessibility to its “accept all” or “I agree” option.
“Google has told us that they now want to establish this button bit by bit in the European Union, Switzerland and the United Kingdom,” Fuchs noted in his presentation of HmbBfDI’s activity report for 2021. He commented that Google probably wants to start in France, where a € 210 million fine was already levied against Google and Facebook in late 2021 for failing to provide a simple opt-out option for cookies. But after that, Fuch said, Germany will follow relatively soon.
Beyond HmbBfDI, according to Fuchs European data protection experts agree that users can only provide valid consent if both the consent and reject options are equally quickly and easily accessible. The data protection conference of Germany’s federal and state governments has also issued guidance on this issue.
Noncompliant cookie consent options on websites remain widespread, despite the GDPR having been in effect since 2018. But large fines for violations are also becoming increasingly common. It can be reasonably expected for Google’s privacy strategy and compliance updates to continue to change quickly in Europe and beyond.
If you have questions about compliant cookie banner implementation or your business’ obligations with the TTDSG or GDPR, we can help. Get in touch with one of our experts today!