cookiebox logo

by Usercentrics

data processing services & kategorisierung
cookiebot logo

Cookiebot is a Consent Management Platform that can be used to manage consent or refusal to the services used on the website.

Content of this article

What is Cookiebot?

Cookiebot is a consent management platform that allows you to manage user consent. You are legally obligated (Art. 7 para. 1 GDPR) to prove that the user has consented to the processing of his personal data. Also, the user must be able to revoke his consent at any time (Art. 7 para. 3 GDPR).  The CMP is therefore the central tool for managing your data protection.

Welche Daten werden verarbeitet?

If your website processes personal data in any way, it is your responsibility to show in detail by whom, for what, how and for how long the data is processed. To meet these requirements, you will most likely not be able to avoid using a CMP. But this is not a problem at all, because you will not want to miss the advantage a CMP provides!


When you use Cookiebot’s CMP, the following data is collected:

  • Opt-in- and Opt-out-Data
  • Referrer URL
  • User Agent
  • User settings
  • Consent ID
  • Time of consent
  • Consent type
  • Template-Version
  • Banner-Language
Looking for a specific service?

In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!


Expert knowledge and pro tips on top 😉

data processing services

Legal foundation for the processing

The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.


The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.

When is there a requirement for consent?

Personal Data

The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:


  1. Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
  2. The processing is necessary to protect your legitimate interest (lit. f)


According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.


It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.


Thus, all information elements that enable the identification of a person are subject to consent.

The requirements for exemption from consent

To ensure consent-free use, the following conditions would need to be met:


  1. Conclusion of a processing contract with the processor
  2. No use of cookies or similar profiling techniques
  3. Processing of personal data exclusively in Europe
  4. The processor does not use the obtained data for its own purposes
  5. The processor does not link or enrich the data across different websites
  6. Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
  7. IP anonymization (“Privacy by Default”)
  8. Automatic opt-out for Do-Not-Track settings in the browser
  9. Proof of points 1-8 carried out by the website operator
desktop icon

IP address

Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.

legal icon

Server location

As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.

desktop icon

Company headquarters

In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.

Why is Cookiebot not subject to consent?

  • It is not a US provider
  • Personal data are processed, but you can refer to Art. 6 para. 1 lit. c GDPR
  • The local storage is accessed, but you can refer to Art. 25 para. 2 no. 2 TTDSG

Thus, the points listed above are irrelevant. Otherwise, you would have had to check whether all of the above points are fulfilled and only then would the use have been possible without prior consent. However, since you can refer to the fact that the service is necessary for the fulfillment of a legal obligation (Art. 6 (1) lit. c DSGVO), and also the access to the user’s terminal device is covered by Art. 25 (2) No. 2 TTDSG, no consent is required.

Conclusion on the privacy-compliant use of Cookiebot

The CMP is intended to make your work easier in terms of data protection, so it is only right that the service does not require any extra consent. Just make sure that you do not choose a US provider, that would make things unnecessarily complicated.


If you use Cookiebot, it only needs to be listed as an essential service, which is the case by default, so you don’t need to worry about that.

cookiebot logo

Any questions?

Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics:

fragen icon

Du wünschst weitere Infos zum Privacy Hub oder unseren Beratungsleistungen?

jörg ter beek portrait

Jörg ter Beek

Managing Director, Head of Sales & Partnerships

Want more information about the Privacy Hub or our consulting services?

jörg ter beek portrait

Jörg ter Beek

Managing Director, Head of Sales & Partnerships