Content

Provide information in simple & clear language about:

Cookie Banner Do:

Checklist A headline that makes it clear that the website asks

for consent for cookies and data processing

The text includes info on examples/categories of

First layer processed data (e.g. IP, device information,
browsing behavior, …)

Description of the purposes (Art. 4 Nr. 11, 5 Para. 1 lit. b, 6 Para. 1 lit. a GDPR)

Information that data processing & cookies

is also carried out by third parties (Art. 4 Nr. 11 GDPR)

Number of third parties

Whether data may be processed outside of the EU

Whether data from different sources are combined

(Art. 7 Para. 4 GDPR, ErwGr. 42, 43 GDPR)

Information that consent is optional/not required

to use the service (Art. 7 Para. 3, Para. 4 GDPR)

How to revoke consent and possible consequences

(Art. 7 Para. 3, Para. 4 GDPR)

Don’t:
Avoid non-specific headlines (e.g. “We use cookies”)

Purposes
Do:

Include information about why personal data

is being processed and cookies are being set
(Art. 4 Nr. 11, 5 Para. 1 lit. b,6 Para. 1 lit. a GDPR)

The purposes need to be specific and clear

Don’t:

Don’t use pre-ticked boxes (ECJ, Urt. v. 1.10.2019 – C-673/17 –

„Planet49“, ErwGr. 32 GDPR)

Avoid broad definitions and wording

Rephrase purposes such as:

“Marketing” → “Profiling & targeting of online marketing”
“Analytics / Measurement” → “Measurement for Marketing”
“Social Media” → “Embedding external content” (LfDI BaWü)
1

consentmanager AB Recommended by Laywers and Data Protection Officers

Håltegelvägen 1b, 72348 Västerås, Sweden

www.consentmanager.net
Cookie Banner Checklist

First layer

Buttons
Do:

Clear choice between acceptance and refusal

(ErwGr. 42, 43 GDPR)

Always show the accept AND reject buttons!

Clear naming of the buttons (e.g. “Accept” and “Reject”)

Both options in the same design and of equal importance

Rejecting must be as easy as accepting

Optional: Age verification for websites / apps aimed

at under 16s (e.g. in DE) or under 13s (UK) (Art. 8 Para. 2 GDPR)

Don’t:

No preference for any of the buttons (No “Dark-Patterns”)

No “Accept + Settings” or “Accept + Customize”

Other things
Do:

Allow customisation (“granular choices”) using

“Settings” or “Customise”. Can be a button or a link

Add links to privacy policy, T&C, imprint and more

Do not show consent layer on T&C, imprint and

privacy policy pages (§ 5 TMG, § 305 Para. 2, § 312i, 312j BGB; Art. 12
Para. 1 GDPR, Art. 7 Para. 2, Art. 7 Para. 4 GDPR)

Browser & app signals (e.g. Do-Not-Track, ATT, GPC,

ADPC, …) should be considered (e.g. do not ask for
marketing-consent when sending DNT) (Art. 21 Para. 5 GDPR)

consentmanager AB Recommended by Laywers and Data Protection Officers

Håltegelvägen 1b, 72348 Västerås, Sweden

www.consentmanager.net
Cookie Banner Checklist

Second layer

General
Do:

All purposes should have an precise description of

the processing (Art. 5 Para. 1 lit. b, 13 Para. 1 GDPR)

List of all third party vendors as recipients of the

data, including relevant sub-processors
(Art. 4 Nr. 11 GDPR, Art. 13 Para. 1 GDPR)

List of all cookies, including the storage period and

category (ECJ, Urt. v. 1.10.2019 – C-673/17 – „Planet49“)

Allow granular choices for purposes and vendors

(Art. 7 Para. 4, ErwGr. 42, 43 GDPR)

Include information about the data controller

(usually your company) and, if available, the data
protection officer (Art. 13 Para. 1 a+b GDPR)

Possibility of withdrawal of consent at any time

(“Reject all” button) (Art. 7 Para. 3 S. 4 GDPR)

Technical recommendations
Do:
All non-essential vendors & cookies need to be
blocked until consent is given (check with crawler)

Logging when (date / time, if necessary IP address)

and how consent was given (Art. 7 Para. 1 GDPR)

Logging of the version and changes in design or text

of the cookie banner (Art. 7 Para. 1 GDPR)

Don’t:
Consent-cookies must not contain a user id

Cookies for marketing & analysis purposes cannot be

set automatically without consent as they do not fall
under the category of “legitimate interest”

consentmanager AB Recommended by Laywers and Data Protection Officers

Håltegelvägen 1b, 72348 Västerås, Sweden

www.consentmanager.net
Cookie Banner Checklist

Second layer

Vendor Information (All vendors)

List all the vendors, with the following details for each one:

Do:
Company name (Art. 4 Nr. 11 GDPR, Art. 13 Para. 1 GDPR, ECJ, Urt. v.
1.10.2019 – C-673/17 – „Planet49“ Specification of recipients required)

Address (Art. 4 Nr. 11 GDPR, Art. 13 Para. 1 GDPR)

Legal bases (Art. 6 Para. 1 GDPR)

Purposes (Art. 5 Para. 1 lit. b, 13 Para. 1 GDPR)

Description of the data processing (Art. 13 Para. 1 GDPR)

Categories of the processed data (Art. 15 Para. 1 b GDPR)

List of cookies and similar technologies, including

duration of storage (ECJ, Urt. v. 1.10.2019 – C-673/17 – „Planet49“)

Vendor Information (Non-EU vendors)

Do:

Add note if the vendors are located or process the

data outside of the EU

The transfer or processing of data outside of the EU

may be subject to (additional) consent

Use our cookie crawler recommendations

Important:
Using a data-center/server owned by a US-vendor
may not be GDPR-compliant and/or require your
consent, even if the servers are located in the EU

!
Important:
Only 100% correct is compliant.
A “95% correct cookie banner” is still not compliant!

consentmanager AB Recommended by Laywers and Data Protection Officers

Håltegelvägen 1b, 72348 Västerås, Sweden

www.consentmanager.net