Over and over we hear here in Germany, but also in other countries, about the increasing importance of data protection on websites. Most of the time, however, we encounter hints in the form of annoying cookie banners that are imposed when visiting websites. But what exactly is the problem with data protection on websites?

A few years ago we built websites without giving much thought to what actually happens to data on the Internet:

• Who is allowed to save data from our website?
• Who may store information about our users?
• Who or what should actually be protected when it comes to data protection?
• Which data do we or third parties have access to?
• What is always allowed without user consent?

Every website operator should have answers to these questions.

When programming websites in Germany and the EU, you not only need a website developer, but also someone who is familiar with data protection. Therefore, many companies have a data protection officer who should be able to answer data protection issues. As a rule, every GmbH has such a data protection officer, which is not a very popular job: As a data protection officer, you not only have to know your own data processing (and thus have IT knowledge), but also be able to analyze whether what has been said is actually true.

So when developing a website, there is a great deal of ignorance about what is actually currently allowed. However, one thing is certain: the IP address of the user may not be transferred outside the EU without consent. Nonetheless, a website is quickly clicked together thanks to content management systems like WordPress. But developers and marketers often have no idea or interest when it comes to data protection. Conversely, data protection officers do not have practical knowledge of IT and cannot analyze or even evaluate implemented relationships themselves. Unfortunately, this is a big problem and a ticking time bomb in relation to GDPR violations and warnings. The cases surrounding costly legal mass warnings show this enough.

Most of the smaller companies I’ve been to have outwardly ticked off the issue of data protection (“Yes, we have someone for data protection”), but when it comes to websites, there have often been issues related to General Data Protection Regulation (GDPR) or other legal issues general conditions. It is said that data is processed in a compliant manner, but in practice it turned out to be very different. The most common problem with the privacy of websites is the so-called hotlinking of data from third-party servers. Data is transmitted directly from a web address without obtaining the prior consent of the person concerned. This is currently necessary in Germany and the EU in order not to be warned. Hotlinking from Google (Google Fonts, Google Analytics, Google Ads, Google Maps, Youtube, etc.), LinkedIn, OpenStreetmap, HubSpot, MailChimp and others usually causes data protection problems when integrated.

Some companies try to solve the problem with cookie banners, in which the user consents to the use of the aforementioned online services. But here, too, the challenges lurk in the details. Improper technical use threatens data protection violations and warnings. For example, I’ve seen the use of a cookie banner that itself was loaded from a hotlinked US-based server and was a problem in its own right.

If a legally flawless data protection banner is actually used for the user’s consent, the question remains what happens if the user does NOT consent to the use of hotlinked content. Quite simply: the relevant services must not be loaded. In the worst case, this means no display of tracking pixels, no use of newsletter signups, no YouTube videos or other relevant content. Of course, this situation is usually a practical no-go for the company.

Therefore, when realizing websites, I always use services that are NOT outside the EU and/or run on own infrastructure, so that no consent is required at all. If data relevant to GDPR is to be transferred to locations outside the EU, an order processing agreement (AVV) is concluded with the service provider and an individual consent is requested from the user before the data is sent.

It is of course best if you completely avoid third-party providers and “third-party cookies”.