Grip tightens on bad cookie banners practices

New investigations by the Bavarian LDA and Dutch DPA on companies’ cookie consent practices and GDPR compliance is a clear indication that EU authorities are increasing their focus on companies’ use of online tracking technologies.
Table of Contents
With little or no cookie-related enforcement by national regulators against website owners, many companies, e-commerce, and ordinary websites have taken a “wait and see” approach to applying GDPR-compliant cookie consent procedures on their websites.
However, things are beginning to stir within national authorities. New investigations and guidances on cookie practices by the Dutch and Bavarian (Germany) data protection authorities send a clear message to companies: in 2019, they should begin to take the GDPR seriously with respect to cookies and tracking.

Companies track their users without their freely given consent

In January 2019, the Bavarian data protection authority, Bayerisches Landesamt für Datenschutzaufsicht (Bavarian LDA), released guidance directed toward companies with websites that use cookies to track customers for online behavioral profiling and marketing purposes.
The guidance resulted from a study conducted on 40 Bavarian websites across various industries to assess their compliance practices relating to tracking technologies used for personalized advertising.

The results were shocking. None of the 40 websites were GDPR-compliant with respect to cookie consent management, and all 40 websites were storing third-party tracking cookies before the user gave consent.

Specifically, the LDA found:

  • All websites used third-party tracking cookies for marketing purposes. 75% of websites did not include any information about tracking technologies on their sites and provided insufficient information about tracking in policies.
  • 75% of websites used cookie banners in an attempt to obtain consent. However, the information provided in these was deemed inadequate.
  • None provided users with the opportunity to give an informed, voluntary and affirmative consent.
  • All but one began tracking before a valid consent was obtained (as required by the GDPR recital 32).
Because the analysis was carried out across industries, the Bavarian LDA concluded that the poor state of cookie compliance and clandestine use of tracking technologies probably would comprise all companies, not just those using sophisticated advertising technologies.

Following the release of the guidance, the LDA implied it would start issuing monetary fines for lack of cookie and privacy compliance.

Data for access will no longer be tolerated

In March 2019, the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), published guidance on “cookie walls”, which prevent the users from accessing a website unless they give their consent to cookies. The “data for access” business model – particularly related to third-party tracking cookies used for online behavioral profiling – is built on the consent that the users do not freely give. This is in clear violation of the provisions in the GDPR regarding online privacy.

According to the DPA, users must be offered the possibility to give freely and voluntary consent before tracking software such as cookies, pixels, and the site implements fingerprinting. Cookie walls do not give users a free choice to reject cookies, and other tracking technologies as the site will block the access.

What are the implications for the future?

The investigations and guidance by both the DPA and LDA are clear indications that EU regulators and national authorities are increasing their focus on companies’ consent practices relating to the use of cookies and other tracking technologies. The take-it-or-leave-it cookie walls will not be tolerated unless used for strictly necessary cookies. Furthermore, companies with tracking cookies on their website will have to comply with GDPR as soon as possible. In January, the French Data Protection Authority (CNIL) fined tech-giant Google 50 million Euros for lack of transparency and lack of valid consent concerning the personalization of ads.

How to get 100% cookie compliant?

There are various options for company websites to become completely GDPR compliant regarding cookie practices.
First of all, the visitor must always be properly informed of which cookies and tracking technologies the website uses and stores in the visitor’s browser.
Second, the website must prevent cookies that collect and process personal information (tracking cookies) from being stored before the user has provided freely given and explicit consent. In essence, this means that silence, pre-ticked fields, or inactivity do not constitute consent in the GDPR!
Third, the user must be able to alter or withdraw the cookie consent, and it must be as easy as giving the consent.