IDC Names Securiti a Worldwide Leader in Data Privacy


Lower Saxony Guidelines on Cookies

Published December 7, 2022 / Updated November 22, 2023

Listen to the content

On 30th September 2022, the German state Lower Saxony data protection authority (LfD Niedersachsen) released updated consent guidelines for the use of cookies and generally for the integration of third-party service providers on websites (Guidelines).

The DPA emphasized that the data subject’s prior consent is required for the use of non-essential cookies and similar tracking technologies. Such consent must be freely given, informed, specific and unambiguous. It highlighted the following principles that must be kept in consideration while obtaining consent from website users:

The data subject’s consent must always be obtained prior to the activation of non-essential cookies and similar tracking technologies. It is often seen that websites display cookie consent banners after non-essential cookies have already been activated and dropped. Such a practice is not legally compliant as website operators must obtain user’s consent via the cookie consent banner before they technically activate any non-essential cookies and collect their personal data.

Prior to obtaining the user’s consent, the user must be provided with the following minimum information:

  • The data controller’s identity,
  • The processing purposes,
  • The data categories to be processed,
  • The data controller’s intention of automated decision-making, if applicable,
  • The data controller’s intention of cross-border data transfer, if applicable,
  • The data subject’s right to withdraw consent, and
  • The creation of user profiles and names of all third-party service providers that are involved in profiling, if applicable.

Website operators must ensure that all data processing purposes have been clearly and specifically described to the website user before they obtain their consent. This means that the use of ambiguous formulations such as the following are not sufficient in order to ensure that the users’ consent is informed:

  • Cookies are used to optimize and improve the website for you,
  • Cookies are used to improve your surfing experience, or
  • Cookies are used to carry web analysis and advertising.

Affirmative Action

Consent must be indicated via clear affirmative action - the user’s declaration or behavior with which they clearly signal their intention to the intended processing of their personal data. One example of this is the user clicking an unchecked checkbox. On the contrary, scrolling through the website does not constitute a valid form of consent.

Moreover, texts such as “Agree”, “I Agree” or “Accept” are not considered sufficient if no other information is provided along with these texts/fields that can indicate to the user what specifically the consent is given for. To ensure that the data subject’s consent is unambiguous, preselected checkboxes should not be used, and website operators should provide the users with the option of giving separate consent for the activation of each non-essential cookie category based on its purpose.

In order to ensure that the data subject’s consent is freely given, there must always remain a possibility for them to refuse and withdraw consent without facing any adverse consequences. Therefore, the use of cookie walls is not permitted. The use of cookie walls is permitted only where website users are provided equivalent alternative access to the website that does not require them to accept cookies.

In order to ensure that the data subject’s consent is freely given, there must always remain a possibility for them to refuse and withdraw consent without facing any adverse consequences. Therefore, the use of cookie walls is not permitted. The use of cookie walls is permitted only where website users are provided equivalent alternative access to the website that does not require them to accept cookies.

The data subject should be able to withdraw consent as easily, and in the same manner, as consent is granted. The cookie consent banner must consist of an equally prominent “Reject” option along with the “Accept” option.

The DPA clarifies that the data subject must be informed of the possibility of withdrawing consent on the first information layer of the cookie consent banner. The consent withdrawal process should not be made unnecessarily complicated and the users should not be required to perform additional steps to withdraw consent. In this respect, controllers should refrain from using contact forms as a means of withdrawing consent as they require additional steps and information for the revocation of consent, which is also a violation of the data minimization principle, as codified under the GDPR.

Moreover, the consent withdrawal mechanism must be easily accessible to the website user so they can withdraw consent at any time without facing any adverse consequences. For example, a website operator may insert a link to the consent layer in the header or footer of the website, or in the information notice required under Article 13 of the GDPR.

Nudging is Not Permitted

Nudging refers to techniques that are intended to influence or manipulate a user's behavior or choices. An example of nudging would include designing the “Agree” button more conspicuously on the cookie banner than the “Reject” button with the help of color or font styles. Such a mechanism is not permitted as it pushes website users to make a certain choice and compromises the element of freely given consent.

Similarly, showing the cookie consent banner again once the user has already refused cookies with the intention that, sooner or later, the user will accept cookies is also a form of nudging and should not be implemented.

The DPA recommends that no non-essential cookies should be used on websites that are aimed directly at children. However, where non-essential cookies are used for such websites, consent must be obtained from the holders of parental authority in the case of personal data belonging to children under the age of 16. The website operators should utilize suitable online identity verification procedures to verify that such consent is actually given by the parents/legal guardians of the minors.

How Can You Demonstrate Compliance with Securiti?

Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements with the help of the following features:

  • The implementation of an opt-in cookie consent banner and deactivation of non-essential cookies by default for the opt-in regime,
  • The ability to design legally appropriate cookie consent banners, which provide all requisite information to users for consent to be informed and specific,
  • The ability to design equally prominent accept and reject fields on the cookie consent banner,
  • Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations, and
  • Updated and comprehensive consent records.

Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.

Maria Khan

Authored by Maria Khan

Maria Khan is a IAPP Certified Information Privacy Professional (CIPP/Europe) and a Certified Information Privacy Manager (CIPM). She earned her LL.M from the University of Michigan Law School, where she received the Michigan Grotius Fellowship, a fully-funded award. Additionally, Maria holds a B.A-LL.B (Hons.) from Pakistan.

Passionate about data privacy, AI governance, and business and human rights, Maria facilitates organizations in evaluating data privacy compliance risks and offers privacy-compliant solutions. She plays a key role in supporting regulatory intelligence within products/software and aiding organizations in meeting compliance efforts. Maria possesses a substantial understanding of global data privacy obligations, particularly in relation to AI governance, consent management, user transparency, digital marketing, cross-border data transfers, and AI risk assessments.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend