December 6, 2021 | 22:38
Reading-Time: ca. 2 Min

Please notice: This article is more than 3 years old
Content, Source code or links may no longer be correct in the meantime.

Told-you-so moment with Cookiebot

Today, the VG Wiesbaden announced to have prohibited the use of Cookiebot in summary proceedings of the Rhine-Main University of Applied Sciences (Az.: 6L 738/21.WI).1

The Danish provider behind Cookiebot is well-known in the industry and advertises with the windy promise of obtaining DSGVO-compliant cookie consent from website visitors. Complete humbug, as the court pointed out:

Cookiebot processes the complete IP address of the end user on the servers of a company whose headquarters are located in the USA. This creates a third-country connection, namely to the USA, which is inadmissible in view of the so-called Schrems II decision of the European Court of Justice. The users of the website (…) would not be asked for their consent for data transfer to the USA. There was also no information about the possible risks associated with the transfer due to the so-called Cloud Act.

Two years ago, there was an exchange of e-mails with an external data protection officer about this particular provider, who unfortunately operated data protection on a purely deskbound basis and was, to put it mildly, somewhat unfamiliar with fundamental technical principles. In his opinion, Cookiebot was harmless, contrary to my objections and technical facts.

The result: incorrect advice and an invitation for competitors, employees or website visitors who might object to it. The affected customer is now well advised to adapt his finished website and to invest money and time again in what could have been finally solved two years ago.

There is no reason for simple websites without an online shop, forum or customer area to set cookies and transmit personal data. The court in Wiesbaden writes unequivocally:

Such data transmission is also not necessary for the operation of the website (…)

Anyone using third-party providers, who promises data protection with additional cookies and data processing has not understood the meaning of data minimisation and privacy by design and default.

Thank you for today’s Told-you-so moment about the external data protection officer, who oviously cannot be named here. Well, hopefully he’s reading this.

With this in mind,
Tomas Jakobs

© 2024 Tomas Jakobs - Imprint and Legal Notice

Support this blog - Donate a Coffee