Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Lower Saxony Guidelines on Cookies

Download: Consent Report Q2 2024
Published December 7, 2022
Author

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

This post is also available in: Brazilian Portuguese

On 30th September 2022, the German state Lower Saxony data protection authority (LfD Niedersachsen) released updated consent guidelines for the use of cookies and generally for the integration of third-party service providers on websites (Guidelines).

The DPA emphasized that the data subject’s prior consent is required for the use of non-essential cookies and similar tracking technologies. Such consent must be freely given, informed, specific and unambiguous. It highlighted the following principles that must be kept in consideration while obtaining consent from website users:

The data subject’s consent must always be obtained prior to the activation of non-essential cookies and similar tracking technologies. It is often seen that websites display cookie consent banners after non-essential cookies have already been activated and dropped. Such a practice is not legally compliant as website operators must obtain user’s consent via the cookie consent banner before they technically activate any non-essential cookies and collect their personal data.

Prior to obtaining the user’s consent, the user must be provided with the following minimum information:

  • The data controller’s identity,
  • The processing purposes,
  • The data categories to be processed,
  • The data controller’s intention of automated decision-making, if applicable,
  • The data controller’s intention of cross-border data transfer, if applicable,
  • The data subject’s right to withdraw consent, and
  • The creation of user profiles and names of all third-party service providers that are involved in profiling, if applicable.

Website operators must ensure that all data processing purposes have been clearly and specifically described to the website user before they obtain their consent. This means that the use of ambiguous formulations such as the following are not sufficient in order to ensure that the users’ consent is informed:

  • Cookies are used to optimize and improve the website for you,
  • Cookies are used to improve your surfing experience, or
  • Cookies are used to carry web analysis and advertising.

Affirmative Action

Consent must be indicated via clear affirmative action - the user’s declaration or behavior with which they clearly signal their intention to the intended processing of their personal data. One example of this is the user clicking an unchecked checkbox. On the contrary, scrolling through the website does not constitute a valid form of consent.

Moreover, texts such as “Agree”, “I Agree” or “Accept” are not considered sufficient if no other information is provided along with these texts/fields that can indicate to the user what specifically the consent is given for. To ensure that the data subject’s consent is unambiguous, preselected checkboxes should not be used, and website operators should provide the users with the option of giving separate consent for the activation of each non-essential cookie category based on its purpose.

In order to ensure that the data subject’s consent is freely given, there must always remain a possibility for them to refuse and withdraw consent without facing any adverse consequences. Therefore, the use of cookie walls is not permitted. The use of cookie walls is permitted only where website users are provided equivalent alternative access to the website that does not require them to accept cookies.

In order to ensure that the data subject’s consent is freely given, there must always remain a possibility for them to refuse and withdraw consent without facing any adverse consequences. Therefore, the use of cookie walls is not permitted. The use of cookie walls is permitted only where website users are provided equivalent alternative access to the website that does not require them to accept cookies.

The data subject should be able to withdraw consent as easily, and in the same manner, as consent is granted. The cookie consent banner must consist of an equally prominent “Reject” option along with the “Accept” option.

The DPA clarifies that the data subject must be informed of the possibility of withdrawing consent on the first information layer of the cookie consent banner. The consent withdrawal process should not be made unnecessarily complicated and the users should not be required to perform additional steps to withdraw consent. In this respect, controllers should refrain from using contact forms as a means of withdrawing consent as they require additional steps and information for the revocation of consent, which is also a violation of the data minimization principle, as codified under the GDPR.

Moreover, the consent withdrawal mechanism must be easily accessible to the website user so they can withdraw consent at any time without facing any adverse consequences. For example, a website operator may insert a link to the consent layer in the header or footer of the website, or in the information notice required under Article 13 of the GDPR.

Nudging is Not Permitted

Nudging refers to techniques that are intended to influence or manipulate a user's behavior or choices. An example of nudging would include designing the “Agree” button more conspicuously on the cookie banner than the “Reject” button with the help of color or font styles. Such a mechanism is not permitted as it pushes website users to make a certain choice and compromises the element of freely given consent.

Similarly, showing the cookie consent banner again once the user has already refused cookies with the intention that, sooner or later, the user will accept cookies is also a form of nudging and should not be implemented.

The DPA recommends that no non-essential cookies should be used on websites that are aimed directly at children. However, where non-essential cookies are used for such websites, consent must be obtained from the holders of parental authority in the case of personal data belonging to children under the age of 16. The website operators should utilize suitable online identity verification procedures to verify that such consent is actually given by the parents/legal guardians of the minors.

How Can You Demonstrate Compliance with Securiti?

Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements with the help of the following features:

  • The implementation of an opt-in cookie consent banner and deactivation of non-essential cookies by default for the opt-in regime,
  • The ability to design legally appropriate cookie consent banners, which provide all requisite information to users for consent to be informed and specific,
  • The ability to design equally prominent accept and reject fields on the cookie consent banner,
  • Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations, and
  • Updated and comprehensive consent records.

Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
DSPM vs. CSPM – What’s the Difference?
While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is SSPM? (SaaS Security Posture Management) View More
What is SSPM? (SaaS Security Posture Management)
This blog covers all the important details related to SSPM, including why it matters, how it works, and how organizations can choose the best...
View More
“Scraping Almost Always Illegal”, Netherlands DPA Declares
Explore the Dutch Data Protection Authority's guidelines on web scraping, its legal complexities, privacy risks, and other relevant details important to your organization.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New