Grip tightens on bad cookie banners practices

New investigations by the Bavarian LDA and Dutch DPA on companies’ cookie consent practices and GDPR compliance is a clear indication that EU authorities are increasing their focus on companies’ use of online tracking technologies.

With little or no cookie-related enforcement by national regulators against website owners, many companies, e-commerce and ordinary websites have taken a “wait and see” approach to applying GDPR compliant cookie consent procedures on their websites.

However, things are beginning to stir within national authorities. New investigations and guidances on cookie-practices by the Dutch and Bavarian (Germany) data protection authorities send a clear message to companies: in 2019 they should begin take the GDPR seriously with respect to cookies and tracking.

In January 2019 the Bavarian data protection authority, Bayerisches Landesamt für Datenschutzaufsicht (Bavarian LDA), released a guidance directed toward companies with websites that use cookies to track customers for online behavioral profiling and marketing purposes.

The guidance was the result of a study conducted on 40 Bavarian websites across a range of industries to assess their compliance practices relating to tracking technologies used for personal advertising.

The results were shocking. None of the 40 websites were GDPR-compliant with respect to cookie consent management and all 40 websites were storing third-party tracking cookies before consent was given by the user.

Specifically, the LDA found:

  • All websites used third-party tracking cookies for marketing purposes.
  • 75% of websites did not include any information about tracking technologies on their sites and provided insufficient information about tracking in policies.
  • 75% of websites used cookie banners in an attempt to obtain consent, however, the information provided in these were deemed inadequate.
  • None provided users with the opportunity to give an informed, voluntary and affirmative consent.
  • All but one began tracking before a valid consent was obtained (as required by the GDPR recital 32).

Because the analysis was carried out across industries, the Bavarian LDA concluded that the poor state of cookie compliance and clandestine use of tracking technologies probably would comprise all companies, not just those using sophisticated advertising technologies.

Following the release of the guidance, the LDA implied it would start issuing monetary fines for lack of cookie and privacy compliance.

Data for access will no longer be tolerated

In March 2019 the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), published a guidance on “cookie walls”, which prevent the users from accessing a website unless they give their consent to cookies. The “data for access” business model – which relate particularly to third-party tracking cookies used for online behavioral profiling – is built on consent that is not freely given by the users. This is in clear violation of the provisions in the GDPR regarding online privacy.

According to the DPA, users must be offered the possibility to give freely and voluntary consent before tracking software such as cookies, pixels and fingerprinting are implemented by the site. Cookie walls do not give users a free choice to reject cookies and other tracking technologies as the site will block the access.

What are the implications for the future?

The investigations and guidance by both the DPA and LDA are clear indications that EU-regulators and national authorities are increasing their focus on companies’ consent practices relating to the use of cookies and other tracking technologies. The take-it-or-leave-it cookie walls will not be tolerated unless used for strictly necessary cookies. Furthermore, companies with tracking cookies on their website will have to comply with GDPR as soon as possible. In January the French Data Protection Authority (CNIL) fined tech-giant Google 50 million Euros for lack of transparency and lack of a valid consent concerning personalization of ads.

Link: CNIL fines Google 50 million euros for violating the GDPR

There are a range of options for company websites to become completely GDPR compliant regarding cookie practices.

First of all, the visitor must always be properly informed of which cookies and tracking technologies the websites uses and stores in the visitor’s browser.

Link: Inform users with a proper consent solution

Second, the website must prevent cookies that collect and process personal information (tracking cookies) from being stored before the user has provided a freely given and explicit consent. In essence this means, that silence, pre-ticked fields or inactivity do not constitute consent in the GDPR!

Link: How to prevent cookies from being set before consent

Third, the user must be able to alter or withdraw the cookie consent, and it must be a as easy as giving the consent.

Link: Checklist to collect a valid cookie consent in the era of the GDPR


Share on facebook
Share on twitter
Share on linkedin
Share on email

- Webinars - Webinars - Webinars - Webinars

- Webinars - Webinars - Webinars - Webinars

Where to start with cookies?

Join our webinars about compliance in the Nordics