Compliance Web-Design

Data Privacy, DSGVO, and Cookies

Data Privacy Symbol Picture

Often the web­site oper­a­tor is told, that Data pro­tec­tion is com­plex and has to be orga­nized by experts. But what if she does­n’t have the mon­ey for that? If it seems some­how non­sen­si­cal to shoot at a spar­row blog with the can­non of a paid team of experts? Then — maybe and with the help of Google — she installs some pop­u­lar Word­Press plu­g­ins for data pri­va­cy and DSGVO and/or cook­ies — in the hope that all goes well. Or she inves­ti­gates it in more detail. And in the end, she per­haps gath­ers rules of thumb, from which at least one well-work­able way results. Here are my 3.7 rules of thumb, applied to my own data pri­va­cy file:

[ en | de ]


  • I. Use only the per­son­al data that you real­ly need for the func­tion­ing of your sys­tem.
  • II. If you col­lect per­son­al data, tell the own­ers,
    • that you are going to do so,
    • for what pur­pose you use the data,
    • what legal basis autho­rizes you to do so,
    • with whom you share the data,
    • how long you will store it,
    • how they can ask you which data you have stored over time
    • how they can have the data delet­ed again.
  • III. If you store data on the com­put­er of your users, which they did not request direct­ly or indi­rect­ly, ask them before­hand for per­mis­sion.


If I pro­ceed accord­ing to this — so I make myself believe again and again — I will design my sites in a way that I avoid the rough­est traps1 and errors2. Because I always have one thing in mind: with a mere cook­ie ban­ner it is not done:

  1. The first thing I con­sid­er is where my blog as a sys­tem col­lects per­son­al data. The ones that I explic­it­ly request in and with forms are the eas­i­est for me to notice and remem­ber. Here I know — qua office — what I do with them and to whom I pass them etc.
  2. Fur­ther­more, I am aware that IP address­es are also con­sid­ered per­son­al data — although the inter­net would not func­tion with­out them.
  3. Addi­tion­al­ly, Word­Press can col­lect, note, and send data to third par­ties — as well as the plu­g­ins I’ve acti­vat­ed, the JavaScript libraries I’ve installed, the Google fonts I’ve inte­grat­ed, etc., etc.
  4. Even­tu­al­ly, my com­menters are usu­al­ly made rec­og­niz­able via the com­mon Gra­vatar sys­tem.

I have to sort out this mish­mash:

  • Rule (I) tells me that less is more: the few­er data I ask for and the few­er plug-ins I use, the lean­er my data pro­tec­tion con­cept can be. So I clean out here, e.g. by treat­ing pro­duc­tive and devel­op­ing sys­tems dif­fer­ent­ly.
  • Rule (II) tells me that I must actu­al­ly describe the remain­ing data sets in the data pro­tec­tion con­cept. So I also deter­mine what data my plu­g­ins, font requests, and oth­er tech­ni­cal com­po­nents col­lect, how they store it, and where they pass it on.
  • Rule (III) tells me that I have to get per­mis­sion to write files, i.e. cook­ies, to my user’s com­put­er — either by law, as in the case of tech­ni­cal­ly nec­es­sary cook­ies, or by con­sent of my user. And to get this con­sent, it is help­ful to spec­i­fy the pur­pose and effect.

My next posts describe how I have imple­ment­ed this in my bootScore-based site con­crete­ly.


  1. cf. https://www.e‑ []
  2. cf.–4854218 []

Leave a Comment

Your email address will not be published. Required fields are marked *

To top