CookieYes and Data Protection – What Belongs in the Privacy Policy

CookieYes is a Consent Management Platform (CMP) based in London (United Kingdom) that supports website operators in managing cookie consent and complying with data protection obligations. The use of CookieYes is associated with significant data processing – both the platform itself and the controller must transparently set out their roles and legal bases in the privacy policy. This guide shows what information is mandatory and how it is to be formulated in a legally secure way.

A. Purpose and Function of CookieYes

CookieYes offers a modular ecosystem for consent management:

• Cookie banner: Dynamically generated consent banners (cookie walls under the ePrivacy Directive) with categorised display (essential, functional, analytical, marketing)
• Consent logging: Storage and management of user consent decisions with timestamps and audit trail
• Cookie scanner: Automated detection of all cookies used on the website and their classification
• Policy generator: Automatic generation of cookie policies and privacy policies based on detected scripts and tracking tools
• WordPress plugin: Direct integration into WordPress websites; alternative SaaS solution for all platforms
• Standards: Support for IAB TCF v2.2 (Transparency & Consent Framework) and Google Consent Mode v2 for forwarding consent signals to Google and other ad networks

CookieYes acts as a processor (Art. 28 GDPR), not as a controller. Responsibility for the lawfulness of the processing remains with the website operator.

B. Mandatory Disclosures in the Privacy Policy When Using CookieYes

The following information must be included in the privacy policy:

1. Naming of the provider: CookieYes Limited, London (UK) – with reference to its function as a processor
2. Description of data processing: What data is collected, stored, and disclosed?
3. Processing purposes: Consent management, compliance documentation, security
4. Recipients and transfers: Storage in the UK and where applicable in India; transfer to third-party providers (e.g. Google for Google Consent Mode)
5. Legal bases: Art. 6(1)(c), (f) GDPR; § 25(2) No. 2 TDDDG (Telemedia Act)
6. Deletion periods: Retention period of consent logs and audit trails
7. Data subject rights: Reference to right of access, rectification, erasure, objection
8. Data protection officer: If applicable, contact details of the company DPO

C. Provider of CookieYes

CookieYes Limited
Registered office: London, United Kingdom

CookieYes is legally registered in the United Kingdom. Following the adequacy decision of the European Commission of 28 June 2021 (Commission Implementing Decision 2021/914/EU), the UK is regarded as a safe third country with an adequate level of data protection – data transfers there are permissible without additional safeguards (such as Standard Contractual Clauses).

Group structure and operational locations
CookieYes also has operational structures in India (Bangalore). Should personal data of data subjects in the European Union be transferred to India or processed there, Standard Contractual Clauses (Art. 46(2)(c) GDPR) are required, since there is no adequacy decision of the EU Commission for India.

Privacy policy and DPA
CookieYes makes its privacy policy available at the link (see resources). A Data Processing Agreement (DPA) under Art. 28(3) GDPR is available and must be requested and signed by controllers before contract conclusion.

D. Data Processing – Procedure in Steps

Third-country status

• UK: Adequacy decision (safe third country) → no additional protection required
• India (where processing takes place there): Standard Contractual Clauses required

E. Data Collected by CookieYes

CookieYes collects and processes the following categories of personal data:

Web server log data

• IP address of the user
• HTTP request headers (user agent, referer)
• Time and duration of access
• Requesting domain and path

Browser information

• Browser type and version
• Operating system
• Language settings
• Device type (desktop, tablet, mobile device)

Coarse location data

• Country and where applicable city level based on IP geolocation (not GPS-based)

Device identifiers

• Unique device ID (for tracking across multiple sessions)
• Cookie values (CookieYes-specific session IDs)

Consent events and conversion data

• Consent decision (accepted/rejected) per category
• Timestamp of the decision
• Google Consent Mode signal (where Google Consent Mode v2 is activated)
• Scrolling behaviour with the banner (e.g. banner interaction detected yes/no)

This data is processed in pseudonymised or anonymised form, provided that no link to other user identifiers takes place.

F. Purposes of Use

CookieYes processes the data referred to above for the following purposes:

Provision and optimisation of functionality

• Provision of the consent management function on the website
• Configuration and management of the cookie banners (visual customisation, texts, categories)
• Capture and storage of user consent decisions
• Generation of reports for the controller

Security and abuse protection

• Protection against automated attacks and bot traffic
• Detection of suspicious activities on the CookieYes servers
• IP-based rate limiting and DDoS prevention

Legal and compliance documentation

• Audit trail for authority requests and supervisory authorities
• Evidence of obtaining consent under GDPR Art. 7 and § 25(2) No. 2 TDDDG
• Evidence of compliance with data protection obligations

Legal enforcement

• Response to subpoenas or official requests
• Pursuit of abuse cases (e.g. spam campaigns via fake consent banners)

G. Legal Bases for CookieYes

1. Category and Primary Justification

CookieYes is a consent management platform for managing cookie consents. Its use is justified by the following provisions:

Art. 6(1)(c) GDPR (legal obligation)
in conjunction with Art. 7(1) GDPR (obligation to demonstrate consent)
as well as § 25(2) No. 2 TDDDG (Telemedia Act – consent for non-essential cookies)

The controller must be able to document consents and therefore has a legal obligation for data processing through CookieYes.

2. Secondary Justification

Art. 6(1)(f) GDPR (legitimate interest)

In addition, processing may be justified by a legitimate interest of the controller – operational security, compliance reporting, abuse detection (where not sufficiently covered by (c)).

3. Third-country Transfer

United Kingdom (UK)
Transfers to the UK are permissible without additional safeguards because the European Commission, by Commission Implementing Decision 2021/914/EU (of 28 June 2021), determined that the UK provides an adequate level of data protection.

India (where CookieYes processes there)
For processing operations in India, Standard Contractual Clauses under Art. 46(2)(c) GDPR are required, since India does not have an adequacy decision. The CookieYes DPA must contain corresponding clauses.

H. Special Features and Notes on CookieYes

• UK seat with adequacy decision: CookieYes Limited is registered in the UK and benefits from the EU Commission's adequacy decision of 28 June 2021. Data transfers there are permissible without the need for additional guarantees.

• Operational structures in India: Should CookieYes carry out processing in India (e.g. for support, backup, hosting), the corresponding DPA clauses and Standard Contractual Clauses must apply.

• Data Processing Agreement (DPA) required: Controllers must conclude a signed DPA with CookieYes before or during contract conclusion. This is a precondition for GDPR compliance.

• IAB TCF v2.2 compatibility: CookieYes supports the IAB Transparency & Consent Framework (TCF) v2.2, which makes it possible to forward consent signals to hundreds of ad networks and ad-tech providers. This requires additional transparency in the privacy policy and explicit acknowledgement of the disclosure.

• Google Consent Mode v2: CookieYes enables the forwarding of consent signals to Google (Analytics, Google Ads, etc.). Users must be informed of this.

• Audit logs and compliance reports: CookieYes generates audit trails that can serve as evidence in data protection audits.

I. Frequently Asked Questions (FAQ)

J. Conclusion and Practical Recommendations

CookieYes is an established CMP with modern functions (IAB TCF v2.2, Google Consent Mode v2) and a UK seat (adequacy decision). To achieve compliance, the following steps are required:

1. Sign the DPA – before or during implementation
2. Update the privacy policy – with all information from Sections A–H
3. Configure the consent banner – under § 25(2) TDDDG and Art. 7 GDPR (informed, freely given, unambiguous)
4. Review audit logs – regularly download CookieYes reports as evidence
5. Document third-party transfers – in particular for IAB TCF and Google Consent Mode

With these measures you use CookieYes in a legally compliant and demonstrable manner in line with the GDPR and the Telemedia Act.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com