The Bavarian Data Protection Authority’s recent Cookie Sweep has been reported by Alston & Bird’s Privacy and Data Security Blog “Google-Style GDPR Fines for Everyone?”
The Bavarian DPA has stated in an online publication that it had conducted a sweep of the websites of forty large companies in relation to their cookie and tracking habits. Subsequently, they announced that none of the companies that had been audited had built GDPR compliant practices into their websites. As a result, they are considering fining these companies.
The actual names of the companies have not been revealed but they represented a cross section of industries including banking, insurance, media, automotive, electronics and residential.
The issue of transparency for users was also central to the CNIL fine of Google (also discussed in this Trilateral blog)
The Bavarian DPA found the following violations
Websites lacked the transparency needed for “informed” cookie consent.
30 of the 40 audited websites did not provide sufficiently transparent disclosures to users regarding the website’s use of tracking technology. The Bavarian DPA indicates that providing users with ‘sufficiently transparent’ disclosures means: (a) individually identifying all cookies/trackers (and presumably the companies behind them), and (b) letting users know the specific purposes for which data collected by the identified cookies will be used.
No “prior” consent was collected from users
The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent data to third-party cookie providers as soon as the user visited the website. Thus, “tracking occurs before the user can make a decision about whether he will permit such processing.” Only 1 out of 40 websites permitted the user to stop profiling using browser settings.
The consent obtained was not sufficiently “active”
When considering websites and cookies, it is important to remember the golden rules set by GDPR:
- IP addresses are personal data under GDPR so collecting IP addresses equates to automatic data processing. If profiling is involved, other GPDR requirements become applicable.
- Cookies need to be blocked until the user hits the “accept” button on the cookie banner. This means that the cookie banner needs to be displayed until the user accepts or refuses the cookies. If the user continues to browse the website, this cannot be considered as a user’s informed and valid consent to accept cookies.
Consent is not required for purely functional cookies that make the website operate. However, marketing cookies, such as those for targeted ads, location tracking or social media cookies generated by ‘share’ buttons or embedded video all require consent.
As the article highlights, the key takeaway from the Bavarian DPA’s action is that cookie compliance is a major focus for the European Regulators and they are prepared to issue fines to organisations that do not comply. Given that there have been suggestions that cookie banners may disappear entirely when the e-Privacy Regulation is ratified, it seems there is an overall, more pervasive problem with regard to transparency obligations which must be resolved.