Consent banners and Google Tag Manager: what the latest ruling means for website operators
Background: legal requirements for consent banners
The topic of consent management via consent banners is essential for website operators – both due to the GDPR and the current Telecommunications and Digital Services Data Protection Act (TDDDG, formerly TTDSG). A recent ruling by the Administrative Court of Hanover has once again brought the requirements for the design of such banners into focus. The ruling makes it clear that anyone who wants to ask users for their consent to cookies and third-party providers in a manner that is truly compliant with the law must observe a number of key principles.
The case concerned how a large publishing house designed its consent request and whether the mechanisms used actually complied with the legal requirements. Among other things, the lack of an option to reject all cookies at the first level of the banner was particularly criticised. So-called nudging methods, i.e. the deliberate influencing of user decisions through eye-catching colours and layouts, were also criticised.
What does the current case law require?
The requirements for information and voluntary consent are high. Based on the European General Data Protection Regulation (GDPR) and supplementary case law – for example, by the European Court of Justice – the information in consent banners must be transparent, understandable and comprehensive so that users can understand the consequences of their consent. This includes clear information about the duration of the cookies and the recipients of the data.
In addition, rejecting cookies must be just as easy as accepting them. According to the judges, complicated menus, multi-step click paths or misleading colour schemes can invalidate a consent procedure. Even the function and placement of buttons such as ‘Accept & close’ or a cross symbol to close the banner have been critically evaluated if they confuse or burden users.
Data protection when using Google Tag Manager: An overview of the legal situation
Why Google Tag Manager may require consent
Google Tag Manager (GTM) is used to control and reload scripts and tools on a website – and is now regularly the focus of data protection authorities and courts.
The Administrative Court of Hanover ruled that GTM stores data on the end device or at least accesses it. Since user data such as IP addresses or device information is sometimes automatically transferred to Google servers – often outside the EU – prior explicit consent from users is required.
The technical ‘neutrality’ of GTM, which is often emphasised by some providers or users, does not convince the courts: the decisive factor is that personal data can be transferred simply by loading the Tag Manager itself, even before the actual marketing or tracking scripts are executed.
No exception: the obligation to obtain consent cannot usually be circumvented
It is often argued that Google Tag Manager itself does not set cookies, but merely manages other services. The judges disagree: precisely because scripts and data are processed when GTM is called up, the same consent requirement applies as for other third-party tools.
An exception, as permitted by the TDDDG for services that are essential for the actual telemedia service, does not generally apply in the case of GTM. Its functions primarily serve the interests of the website operator – for example, for analysis and advertising – but not the expectations and wishes of the website visitors.
Website operators should therefore carefully consider whether the use of GTM in its current form is necessary and what alternatives can be used to implement individual tracking or marketing solutions without additional risk. The ruling makes it clear that convenience for the operator cannot be a reason for neglecting data protection standards.
Consequences and practical tips for operators of modern websites
What you should now bear in mind with consent banners
Following the ruling, it is clear that a consent banner on your website must not only provide information, but also make this information easy to find and understand. The option to reject all cookies should be available on the first level of the banner – ideally as an equivalent button next to the consent option. Different colours, shapes or placements that steer users towards consent should be avoided at all costs.
Also, make sure that your users are not burdened by repeated banner displays or cumbersome rejection procedures. Consent must be documented and remain easily revocable by the user at any time.
Google Tag Manager: Alternatives and risk-minimising measures
Anyone who wishes to continue working with Google Tag Manager must be aware of their legal responsibilities. Check whether GTM is really necessary for your business operations – or whether individual script solutions, open source tools or tag management systems developed in-house represent a data protection-compliant alternative.
If the use of GTM is essential, it must be ensured that no user data is processed or transferred to third parties before active consent has been given. However, this is often difficult to guarantee completely from a technical standpoint, which increases the risk of data protection violations. Open and transparent user information therefore remains mandatory here as well.
Conclusion: Current case law strengthens data protection – check your risks now
Ongoing attention to data protection regulations required
The ruling from Hanover once again makes it clear that data protection is not a one-off act, but an ongoing process. New legal requirements, changing technical possibilities and advanced tools such as Google Tag Manager require website operators to be attentive and willing to adapt.
If you are unsure, it is advisable to regularly review existing consent mechanisms and tools used in terms of data protection law and, if necessary, adapt them to the current requirements of case law. This will effectively avoid unnecessary risks and expensive fines.
Professional support makes all the difference
When implementing consent banners and integrating tools such as Google Tag Manager, many companies find themselves caught between marketing, technology and legal considerations. Data protection requirements are becoming increasingly complex, while fines for non-compliance can be very high. Competent advice not only saves time and effort, but also provides the necessary security in day-to-day operations.
Are you unsure whether your consent banner meets the latest requirements, or do you need support with integrating tracking and analysis tools in a data protection-compliant manner? Then get in touch with us – we will help you make your website secure and GDPR-compliant!