With little or no cookie-related enforcement by national regulators against website owners, many companies, e-commerce and ordinary websites have taken a “wait and see” approach to applying GDPR compliant cookie consent procedures on their websites.
However, things are beginning to stir within national authorities. New investigations and guidances on cookie-practices by the Dutch and Bavarian (Germany) data protection authorities send a clear message to companies: in 2019 they should begin take the GDPR seriously with respect to cookies and tracking.
Companies track its users without their freely given consent
The guidance was the result of a study conducted on 40 Bavarian websites across a range of industries to assess their compliance practices relating to tracking technologies used for personal advertising.
The results were shocking. None of the 40 websites were GDPR-compliant with respect to cookie consent management and all 40 websites were storing third-party tracking cookies before consent was given by the user.
Specifically, the LDA found:
- All websites used third-party tracking cookies for marketing purposes.
- 75% of websites did not include any information about tracking technologies on their sites and provided insufficient information about tracking in policies.
- 75% of websites used cookie banners in an attempt to obtain consent, however, the information provided in these were deemed inadequate.
- None provided users with the opportunity to give an informed, voluntary and affirmative consent.
- All but one began tracking before a valid consent was obtained (as required by the GDPR recital 32).
Because the analysis was carried out across industries, the Bavarian LDA concluded that the poor state of cookie compliance and clandestine use of tracking technologies probably would comprise all companies, not just those using sophisticated advertising technologies.
Following the release of the guidance, the LDA implied it would start issuing monetary fines for lack of cookie and privacy compliance.
Data for access will no longer be tolerated
In March 2019 the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), published a guidance on “cookie walls”, which prevent the users from accessing a website unless they give their consent to cookies. The “data for access” business model – which relate particularly to third-party tracking cookies used for online behavioral profiling – is built on consent that is not freely given by the users. This is in clear violation of the provisions in the GDPR regarding online privacy.
According to the DPA, users must be offered the possibility to give freely and voluntary consent before tracking software such as cookies, pixels and fingerprinting are implemented by the site. Cookie walls do not give users a free choice to reject cookies and other tracking technologies as the site will block the access.
What are the implications for the future?
How to get 100% cookie compliant?
There are a range of options for company websites to become completely GDPR compliant regarding cookie practices.
First of all, the visitor must always be properly informed of which cookies and tracking technologies the websites uses and stores in the visitor’s browser.
Second, the website must prevent cookies that collect and process personal information (tracking cookies) from being stored before the user has provided a freely given and explicit consent. In essence this means, that silence, pre-ticked fields or inactivity do not constitute consent in the GDPR!
Third, the user must be able to alter or withdraw the cookie consent, and it must be a as easy as giving the consent.