GDPR: Data protection authority issues warning shot

In doing so, the data protection authority shows that it also recognizes the problems on a technical level and issues a warning accordingly.

A faulty cookie banner as a fig leaf is therefore increasingly useless.

No longer taking lightly

GDPR is enforced

It does not always remain only with admonitions – recently an online shop in Lower Saxony was imposed a GDPR penalty of 65,000 €. The reason for this was a lack of updates and thus a successful hacking attack on customer data.

But even third-party cookies remain a problem,just as external tracking scripts regularly lead to a deteriorated PageSpeed.

Our recommendation: Avoid using external tracking scripts wherever possible – and where not, only if they are actively used. But with third-party tracking, it is eminently important to comply with the GDPR requirements. And the GDPR clearly states: consensus is mandatory.

Please note: Effective consent must also be logged per user in compliance with the GDPR. So if you can’t or don’t want to do without third-party tracking scripts, then use a secure GDPR solution, such as Usercentrics together with our Tracking Manager. As a Usercentrics Partner, we advise you comprehensively if necessary and implement the necessary measures for you.

Half-baked solutions are a sword of Damocles

Avoid grey areas

Various industries were affected by the warning, in particular online trading, real estate, finance, social networks, legal services, software, health, education and comparison portals. Data protection authorities are increasingly receiving not only personal complaints from affected users, but also general information with requests and concerns from citizens.

The companies concerned must now act immediately: The data protection authority Berlin is already announcing timely inspections – if the GDPR problems have not been resolved by then, an official procedure will be opened – experience has shown that a fine can then no longer be avoided.

Even elaborate cookie banners with differentiated setting options are not enough, according to the Berlin Data Protection Authority – the underlying processes and loaded tracking scripts were analyzed by the authority as well as the design of the cookie banner itself.

Often the reject button is hidden in the settings or graphically displayed more subordinate than the accept button – this is considered a deliberate influence on the user’s freedom of choice and clearly violates the GDPR. Even if many websites still use cookie banners in this way: a warning by a data protection authority is only a matter of time.

Up to 4% of the worldwide annual turnover can be ordered as a penalty – GDPR violations are no longer a trivial offense.

Tom Tailor

Example of an online shop with a faulty cookie banner. Tom Tailor hides the option to opt out of third-party tracking behind the settings link – the user is tricked into clicking “Accept All” – as a clear GDPR violation, according to many GDPR experts.


Zalando seems to be only partially interested in the GDPR: For example, the Google Tag Manager is loaded even before you have agreed to the cookies via “Geht klar”.

Zalando’s cookie list is very large overall: We count 70 cookies from 12 different companies – this is usually the result of marketing departments and decision-makers who constantly formulate new analysis requirements and do not take the GDPR into account.

Zalando must have been aware of all this for a long time and with their headquarters in Berlin, they continue to play with fire – already in April, the data protection officer René van Loock showed in an article how it is about the GDPR compliance of large websites, including Zalando. In any case, no company can rely on ignorance after more than 3 years since the GDPR came into force.

That a correct cookie banner is technically not particularly difficult to set up, proves our Tracking Manager WordPress plugin with Usercentrics support. So there is no lack of technical possibilities, but only of will.


Better save than sorry

The naivety with which obvious breach of the law is committed is simply no longer comprehensible.

Every little supposed straw is sought to play out third-party tracking around the GDPR – the warning from the data protection authorities are right and important.

We are also not talking about great witchcraft here – the GDPR is often referred to as a complicated set of paragraphs – also by many data protectors. But it usually only gets complicated when you try to bend the rules. Uniform technical solutions via browser signals are being worked on, as is Google trying its much-criticized cohort concept.

Until then, and probably permanently, the clear recommendation is: Avoid third-party services and ideally proceed according to the no-consent-required approach – then there is no need for cookie banners at all.