SAP Apphaus website

I was made aware that documents for Design Thinking previously available at the old SAP Build website (including the really cool Scenes toolkit) are now available at the SAP AppHaus website. For some reasons I am always lucky when accessing a SAP website and only experience the best UX. I already had the pleasure to visit the AppHaus in Heidelberg, but so far I did not pay attention to the website. Now I did.

Legal requirements

Accessing the website shows you the contribution of the EU to the internet: cookie consent. The default and highlighted button sets all cookies. Not only the technical required, but the functional and marketing cookies. Not sure if this is a good idea.

Option to change the default sets only the technical required cookies as default. Better.

A nice part of the cookie consent is that the EU requires web site operators to offer the users the option to change their consent at any time. If you opted to allow functional cookies, you must be able to easily change your setting to e.g., only technical required cookies. In Germany this behavior is demanded by §25 TTDSG. The paragraph points to the GDPR (DSGVO) on how this needs to be done.

“Die Information des Endnutzers und die Einwilligung haben gemäß der Verordnung (EU) 679/2016 zu erfolgen.”

DSGVO Art 7 explains in detail how the consent of the user must be obtained. That the consent of the user is not a one-time decision, but can be revoked or altered at any time is made clear in Art 7 (2). “Die betroffene Person hat das Recht, ihre Einwilligung jederzeit zu widerrufen.” And the revocation needs to be made more or less easy: “Der Widerruf der Einwilligung muss so einfach wie die Erteilung der Einwilligung sein.” Even when hosting the web site outside Germany or the EU, if the web site is accessible to Eu citizens, GDPR applies.

No, you can’t

Let’s see how easy it is to revoke my cookie consent. First let me set my cookie consent to accept everything at my first time I am accessing SAP and the SAP AppHaus website.

But wait, why should I give so much data to SAP for free? Let me revoke my decision as the GDPR / DSGVO allow me to. It should be easy (as required by EU), so where do I find the setting? From other SAP sites I know that this kind of information is placed in the footer.

The SAP logo is not a link, only text. I see Login, Privacy Policy, Legal Disclosure, Terms of User and Copyright. Nothing with Cookie consent, preferences or settings. Looking at the Privacy Policy linked I find several references to Cookie Statement. The first reference says that there is a cookie statement on the relevant SAP website.

Maybe SAP AppHause website is not the relevant site for the cookie consent I gave when I accessed it? Other occurrences say that I should look at SAP’s Cookie Statement. But it is not linked.

The footer of the site is also not helpful.

So, how do I now change my cookie consent? Giving my consent to collect data so far was easier than revoking it. Simply because I still did not manage to revoke it. Conclusion so far: there is no way to revoke my cookie consent on apphaus.sap.com.

Revoke consent

Revoking my consent is a journey that takes me through a set of links, pages and sites. On apphaus.sap.com, I can click on Privacy Policy in the footer. In the footer of that site, I can click on Go.SAP.com. This opens sap.com where I can scroll down to the footer and find a link Cookie Preferences. Data sovereignty is only five clicks away.

AppHaus website, footer: Privacy Policy.

Experience SAP site, footer, Go.SAP.com

SAP.com site, footer, Cookie Preferences

Change cookie consent

(yes, language changed from German to English. For some reason I was redirected to the English SAP.com site).

Not aligned with SAP’s cookie statement?

Trying out an alternative journey by selecting the Privacy link in the experience website footer. This opens the SAP Privacy Statement which contains a reference to the Cookie Statement.

This is the cookie statement referenced by the privacy document of experience.sap.com, just without linking it. The cookie statement contains a section about how I can manage my cookies and consent.

It states that “[…] you can access preferences at any time by clicking on the “Cookie Preferences” link in the footer of the webpage.” The text basically says what GDPR / DSGVO demand. While this is valid for sap.com, the apphouse.sap.com site does not contain a link in the footer to the cookie preferences. While sharing the same domain: sap.com, apphaus has its own footer. And that one differs from the sap.com footer. For some reason I cannot navigate from apphaus.sap.com to sap.com. The SAP logo is there, but not as a link. In fact, how am I supposed to either find the cookie statement site or the cookie preferences starting from the apphouse.sap.com site? The SAP App Haus website refences SAP’s cookie statement. The link to the cookie preferences in the footer mentioned there is missing for apphaus.sap.com. And while I can easily give my consent when I access the App Haus site, revoking it is a more like a quest through several links and websites. Or is this kind of jumping around different websites in the search of the right link considered as easy as the automatic cookie consent dialog shown at first time visit? Or is SAP AppHause website not fully compliant with the SAP’s cookie statement? Either way, to me revoking my consent is not as easy as it should be.

Summary

I guess the SAP App Haus makes it into my list of “are you sure you know what you are doing”. At least the web site is in good company:

• Take care of your templates
• Legal requirements
• Yes we’re open
• SAP Universal ID and GDPR
• Part I – SAP Help status page

And to my biggest surprise, so many more.