Cookiebot and Data Protection – What Belongs in the Privacy Policy

Anyone who uses Cookiebot on their website must disclose its use in the privacy policy. The consent management system processes personal data – such as IP addresses and browser information of website visitors – and therefore requires well-founded data protection disclosures under the GDPR. This article shows what information is legally necessary, how data processing takes place, and what special features operators should observe.

A. Purpose and Function of Cookiebot

Cookiebot is a Consent Management Platform (CMP) of the Danish company Usercentrics A/S (formerly Cybot). The platform serves websites in generating legally compliant consent banners and automatically detecting all cookies and tracking tools present on a website.

The system works via a JavaScript code that website operators embed in their website. This code automatically performs a cookie scan: The system crawls the website and identifies all cookies and trackers (including those of third-party providers) and categorises them automatically. Cookiebot then displays a customisable consent banner via which website visitors can give or refuse their consent to cookies and trackers.

A central point: Cookiebot itself is a data protection tool, but it also sets its own cookies (on cookiebot.com). Users' consent decisions are logged and stored centrally. The website operator can retrieve the consents granted and refused in the Cookiebot dashboard and thereby provide evidence of consent – which positions Cookiebot as a processor for storing the consent.

B. Mandatory Disclosures in the Privacy Policy

Anyone who uses Cookiebot must disclose this in the privacy policy under Art. 13(1) GDPR. The GDPR requires the following minimum information:

• The name and contact details of the controller (Art. 13(1)(a))
• The name and contact details of a data protection officer, where applicable (Art. 13(1)(b))
• The purposes of processing (Art. 13(1)(c))
• The legal bases (Art. 13(1)(d))
• The recipients of the data (Art. 13(1)(e))
• The retention period or criteria for determining it (Art. 13(1)(f))
• The rights of the data subject (Art. 13(2))

For Cookiebot, in particular the following are relevant:

• Information that consent data is passed on to Usercentrics A/S (processor)
• The specific purposes: consent management, documentation of consents, abuse protection
• Legal basis: regularly Art. 6(1)(f) GDPR (legitimate interest in compliance and legal enforcement)
• Retention period of consent logs and details on anonymisation

C. Provider: Usercentrics A/S

Data processing by Cookiebot is carried out by Usercentrics A/S, a Danish company based in the European Union. This is a significant legal advantage, since there is no data protection level problem (DPF/Adequacy Decision) as with transfers to the USA.

Company details:

• Name: Usercentrics A/S
• Registered office: Havnegade 39, 1058 Copenhagen K, Denmark
• Company registration number: 34624607
• Email: mail@cookiebot.com
• Phone: +45 50 333 777

The seat in the European Economic Area (EEA) means that processing takes place in principle under GDPR protection. However: Usercentrics/Cookiebot uses Akamai, a Content Delivery Network (CDN) with servers in the USA. This leads to third-country transfer issues (see Section H).

Further information on the data protection practice of Usercentrics/Cookiebot can be found in the privacy policy on cookiebot.com.

D. Data Processing – Procedure

Data processing by Cookiebot follows a structured procedure:

E. Data Collected

Cookiebot processes a wide range of data categories. In detail:

Web server log data The IP address of the website visitor is collected in anonymised form (the last three digits are set to "0"). In addition, the date and time of the consent, as well as web server log data, are recorded.

Device and browser information The browser user agent (browser type, version, operating system), device type, and screen resolution are recorded in order to display the consent banner responsively and correctly.

Cookie and tracker data Cookiebot automatically scans all third-party cookies and tracking pixels on the website and documents their parameters.

Coarse location data From the anonymised IP address, the approximate geographical location is derived (at country/region level).

User content: consent data The core element is the consent decisions themselves: Which cookie categories has the user accepted or refused? This data is stored as consent status with an encrypted, anonymous key.

User account data (for operators) If the website operator uses the Cookiebot dashboard, Usercentrics also processes data on the operator account: login data, access logging, configuration changes.

F. Purposes of Use

Data processing by Cookiebot is carried out for the following purposes:

Provision of functionality and consent management The primary purpose is to provide website visitors with a consent banner on which they can give or refuse their consent to cookies. Without this processing, the banner cannot function.

Documentation and compliance Cookiebot stores all consents granted and refused centrally in order to provide the operator with evidence that they obtained valid consent when activating tracking tools (such as Google Analytics). This is a requirement of the GDPR (Art. 7(1)) and the German TDDDG (§ 25 TDDDG).

Security and abuse protection Cookiebot can detect and block bot activities in order to prevent bots from registering false consents. It also attempts to prevent DoS attacks on the banner itself.

Legal enforcement Should legal disputes arise, the consent logs can serve as evidence that consent existed.

System administration and improvement Usercentrics also uses usage data (in aggregated form) to optimise the system, fix errors, and develop new features.

G. Legal Bases

The legal bases for data processing by Cookiebot must be considered in a differentiated manner:

Consent capture and consent logging For the mere capture and storage of consent decisions, the legal basis is regularly Art. 6(1)(f) GDPR (legitimate interest). The website operator has a legitimate interest in providing evidence of valid consent in order to act in a GDPR-compliant manner. This is even in the interest of the data subject, since they can thereby preserve their data protection rights.

An alternative view would invoke Art. 6(1)(c) GDPR (legal obligation): The operator is obliged to document consents (Art. 7 GDPR).

Processing for technical purposes (IP, browser data) The collection of IP address, browser information, and timestamp is necessary for the functionality of the banner and the unique attribution of consents. Here too, Art. 6(1)(f) GDPR is the legal basis.

Special feature: cookie of the consent banner itself The Cookiebot cookie itself (which stores the consent decision) is often classified as necessary for consent management and is therefore not subject to the consent requirement under Art. 7 TDDDG / § 25 TDDDG. This is a grey area and should be documented by the operator and clarified with data protection advisors where appropriate.

H. Special Features and Notes

A DPA is mandatory Since Cookiebot processes personal data on behalf of the website operator, a Data Processing Agreement (DPA) under Art. 28 GDPR is legally required. Operators should check whether Usercentrics offers a DPA (Data Processing Agreement) and have signed it. Missing DPAs lead to liability risks for the operator.

Cookie scan and automatic cookie detection Cookiebot continuously scans the website and automatically detects cookies. This is a significant processing step. Through the use of Cookiebot, the operator therefore processes additional data (the scanned cookies), which should be mentioned in the privacy policy.

Cookiebot cookie itself is necessary The Cookiebot cookie that stores the user's consent decision (typically as "CookieConsent" or "OptanonConsent") is necessary for the function of consent management and is therefore not subject to the consent requirement under TDDDG § 25(1). It can also be stored without explicit consent.

Third-country transfer and Akamai Usercentrics uses the CDN Akamai (USA) as a sub-processor, which leads to data transfers to the USA. This is controversial under data protection law and entails risks with regard to Schrems II and the lack of an adequate level of data protection. Operators should clarify whether the EU CDN alternative from Usercentrics can be used (BunnyWay, Slovenia).

Anonymisation of the IP address is incomplete Cookiebot anonymises the IP address by setting the last three digits to "0". This corresponds to the anonymisation practice of other tools, but is viewed critically by data protection experts: under certain circumstances, this is only pseudonymisation, not full anonymisation.

Abuse and manipulation Particularly critical: Consents cannot be fully tamper-proof. A user could technically manipulate the consent (via the browser console). Cookiebot attempts to prevent this through bot detection, but the risk remains.

I. Frequently Asked Questions on Cookiebot and Data Protection

J. Conclusion

Cookiebot is a widely used CMP that creates data protection obligations for website operators and at the same time fulfils them. Its integration requires transparent data protection disclosures under the GDPR – not just a generic enumeration, but a process-oriented explanation that concretely sets out the purposes, data types, legal bases, and special features (third-country transfer, anonymisation, DPA status).

A blanket text template for Cookiebot is less useful than individual documentation that reflects one's own system: Which cookie categories are operated? Which sub-processors are integrated? Has a DPA been concluded with Usercentrics? Is the EU CDN alternative used?

The critical points (third-country transfer via Akamai, anonymisation, missing DPAs) should be documented and clarified in coordination with data protection advisors. Operators should regularly check whether Usercentrics has made improvements and whether their own configuration is still data-protection-compliant.