The Bavarian Data Protection Authority’s recent Cookie Sweep has been reported by Alston & Bird’s Privacy and Data Security Blog “Google-Style GDPR Fines for Everyone?”
The Bavarian DPA has stated in an online publication that it had conducted a sweep of the websites of forty large companies in relation to their cookie and tracking habits. Subsequently, they announced that none of the companies that had been audited had built GDPR compliant practices into their websites. As a result, they are considering fining these companies.
The actual names of the companies have not been revealed but they represented a cross section of industries including banking, insurance, media, automotive, electronics and residential.
The fact that the Bavarian DPA considered none of the forty websites to be GDPR compliant in respect of their cookies demonstrates how far many organisations need to go to improve their data protection compliance. Reading between the lines, the overall theme of the shortcoming seems to be a lack of operational transparency. Specifically, regardless of what a company’s cookie policy looks like, it will be deemed to be ineffective if it is not effectively communicated to users in advance of them giving their consent, amounting to a GDPR Article 12.1 issue.
The issue of transparency for users was also central to the CNIL fine of Google (also discussed in this Trilateral blog)
The Bavarian DPA found the following violations
Websites lacked the transparency needed for “informed” cookie consent.
30 of the 40 audited websites did not provide sufficiently transparent disclosures to users regarding the website’s use of tracking technology. The Bavarian DPA indicates that providing users with ‘sufficiently transparent’ disclosures means: (a) individually identifying all cookies/trackers (and presumably the companies behind them), and (b) letting users know the specific purposes for which data collected by the identified cookies will be used.
No “prior” consent was collected from users
The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent data to third-party cookie providers as soon as the user visited the website. Thus, “tracking occurs before the user can make a decision about whether he will permit such processing.” Only 1 out of 40 websites permitted the user to stop profiling using browser settings.
The consent obtained was not sufficiently “active”
The Bavarian DPA’s position is that cookies and “tracking scripts” should be blocked until “the user has actively consented”. The Bavarian DPA noted that most of the 40 websites used cookie banners to inform users about their use of cookies and that none of these banners resulted in effective consent being collected from the user. It is unclear what the DPA is communicating here; prior to the GDPR, most jurisdictions and the Article 29 Working Party viewed significant interaction with a website as giving rise to implied, but still legally effective ‘active’ consent. It may be that none of the websites integrated a cookie-blocking function prior to ‘consent events’ being logged.
When considering websites and cookies, it is important to remember the golden rules set by GDPR:
- A privacy notice and a cookie policy need to reflect what the website does. Many companies write cookie policies that do not match their website’s actual practices.
- IP addresses are personal data under GDPR so collecting IP addresses equates to automatic data processing. If profiling is involved, other GPDR requirements become applicable.
- Cookies need to be blocked until the user hits the “accept” button on the cookie banner. This means that the cookie banner needs to be displayed until the user accepts or refuses the cookies. If the user continues to browse the website, this cannot be considered as a user’s informed and valid consent to accept cookies.
Consent is not required for purely functional cookies that make the website operate. However, marketing cookies, such as those for targeted ads, location tracking or social media cookies generated by ‘share’ buttons or embedded video all require consent.
As the article highlights, the key takeaway from the Bavarian DPA’s action is that cookie compliance is a major focus for the European Regulators and they are prepared to issue fines to organisations that do not comply. Given that there have been suggestions that cookie banners may disappear entirely when the e-Privacy Regulation is ratified, it seems there is an overall, more pervasive problem with regard to transparency obligations which must be resolved.
