Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Lower Saxony Guidelines on Cookies

Published December 7, 2022 / Updated November 22, 2023

On 30th September 2022, the German state Lower Saxony data protection authority (LfD Niedersachsen) released updated consent guidelines for the use of cookies and generally for the integration of third-party service providers on websites (Guidelines).

The DPA emphasized that the data subject’s prior consent is required for the use of non-essential cookies and similar tracking technologies. Such consent must be freely given, informed, specific and unambiguous. It highlighted the following principles that must be kept in consideration while obtaining consent from website users:

The data subject’s consent must always be obtained prior to the activation of non-essential cookies and similar tracking technologies. It is often seen that websites display cookie consent banners after non-essential cookies have already been activated and dropped. Such a practice is not legally compliant as website operators must obtain user’s consent via the cookie consent banner before they technically activate any non-essential cookies and collect their personal data.

Prior to obtaining the user’s consent, the user must be provided with the following minimum information:

The data controller’s identity,
The processing purposes,
The data categories to be processed,
The data controller’s intention of automated decision-making, if applicable,
The data controller’s intention of cross-border data transfer, if applicable,
The data subject’s right to withdraw consent, and
The creation of user profiles and names of all third-party service providers that are involved in profiling, if applicable.

Website operators must ensure that all data processing purposes have been clearly and specifically described to the website user before they obtain their consent. This means that the use of ambiguous formulations such as the following are not sufficient in order to ensure that the users’ consent is informed:

Cookies are used to optimize and improve the website for you,
Cookies are used to improve your surfing experience, or
Cookies are used to carry web analysis and advertising.

Affirmative Action

Consent must be indicated via clear affirmative action - the user’s declaration or behavior with which they clearly signal their intention to the intended processing of their personal data. One example of this is the user clicking an unchecked checkbox. On the contrary, scrolling through the website does not constitute a valid form of consent.

Moreover, texts such as “Agree”, “I Agree” or “Accept” are not considered sufficient if no other information is provided along with these texts/fields that can indicate to the user what specifically the consent is given for. To ensure that the data subject’s consent is unambiguous, preselected checkboxes should not be used, and website operators should provide the users with the option of giving separate consent for the activation of each non-essential cookie category based on its purpose.

In order to ensure that the data subject’s consent is freely given, there must always remain a possibility for them to refuse and withdraw consent without facing any adverse consequences. Therefore, the use of cookie walls is not permitted. The use of cookie walls is permitted only where website users are provided equivalent alternative access to the website that does not require them to accept cookies.

The data subject should be able to withdraw consent as easily, and in the same manner, as consent is granted. The cookie consent banner must consist of an equally prominent “Reject” option along with the “Accept” option.

The DPA clarifies that the data subject must be informed of the possibility of withdrawing consent on the first information layer of the cookie consent banner. The consent withdrawal process should not be made unnecessarily complicated and the users should not be required to perform additional steps to withdraw consent. In this respect, controllers should refrain from using contact forms as a means of withdrawing consent as they require additional steps and information for the revocation of consent, which is also a violation of the data minimization principle, as codified under the GDPR.

Moreover, the consent withdrawal mechanism must be easily accessible to the website user so they can withdraw consent at any time without facing any adverse consequences. For example, a website operator may insert a link to the consent layer in the header or footer of the website, or in the information notice required under Article 13 of the GDPR.

Nudging is Not Permitted

Nudging refers to techniques that are intended to influence or manipulate a user's behavior or choices. An example of nudging would include designing the “Agree” button more conspicuously on the cookie banner than the “Reject” button with the help of color or font styles. Such a mechanism is not permitted as it pushes website users to make a certain choice and compromises the element of freely given consent.

Similarly, showing the cookie consent banner again once the user has already refused cookies with the intention that, sooner or later, the user will accept cookies is also a form of nudging and should not be implemented.

The DPA recommends that no non-essential cookies should be used on websites that are aimed directly at children. However, where non-essential cookies are used for such websites, consent must be obtained from the holders of parental authority in the case of personal data belonging to children under the age of 16. The website operators should utilize suitable online identity verification procedures to verify that such consent is actually given by the parents/legal guardians of the minors.

How Can You Demonstrate Compliance with Securiti?

Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements with the help of the following features:

The implementation of an opt-in cookie consent banner and deactivation of non-essential cookies by default for the opt-in regime,
The ability to design legally appropriate cookie consent banners, which provide all requisite information to users for consent to be informed and specific,
The ability to design equally prominent accept and reject fields on the cookie consent banner,
Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations, and
Updated and comprehensive consent records.

Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.

Authored by Maria Khan

Maria Khan is a IAPP Certified Information Privacy Professional (CIPP/Europe) and a Certified Information Privacy Manager (CIPM). She earned her LL.M from the University of Michigan Law School, where she received the Michigan Grotius Fellowship, a fully-funded award. Additionally, Maria holds a B.A-LL.B (Hons.) from Pakistan.

Passionate about data privacy, AI governance, and business and human rights, Maria facilitates organizations in evaluating data privacy compliance risks and offers privacy-compliant solutions. She plays a key role in supporting regulatory intelligence within products/software and aiding organizations in meeting compliance efforts. Maria possesses a substantial understanding of global data privacy obligations, particularly in relation to AI governance, consent management, user transparency, digital marketing, cross-border data transfers, and AI risk assessments.

Lower Saxony Guidelines on Cookies

Affirmative Action

Nudging is Not Permitted

How Can You Demonstrate Compliance with Securiti?

Authored by Maria Khan

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

Lower Saxony Guidelines on Cookies

Prior Consent

Informed Consent

Affirmative Action

Cookie Walls are Not Permitted

Easy Consent Withdrawal

Nudging is Not Permitted

Consent for Data Processing of Minors

How Can You Demonstrate Compliance with Securiti?

Authored by Maria Khan

Join Our Newsletter

Share

More Stories that May Interest You

Cookie Banner: What is it & why you need one?

FTC Cracks Down on Unauthorized Disclosure of Health Information for Advertising: A Roundup of Recent Enforcement Actions

Consent Requirements in the Czech Republic for the Use of Cookies and Similar Technologies

Newsletter

Company

Resources

Terms

Get in touch