Companies track their users without their freely given consent
The results were shocking. None of the 40 websites were GDPR-compliant with respect to cookie consent management, and all 40 websites were storing third-party tracking cookies before the user gave consent.
Specifically, the LDA found:
- All websites used third-party tracking cookies for marketing purposes. 75% of websites did not include any information about tracking technologies on their sites and provided insufficient information about tracking in policies.
- 75% of websites used cookie banners in an attempt to obtain consent. However, the information provided in these was deemed inadequate.
- None provided users with the opportunity to give an informed, voluntary and affirmative consent.
- All but one began tracking before a valid consent was obtained (as required by the GDPR recital 32).
Following the release of the guidance, the LDA implied it would start issuing monetary fines for lack of cookie and privacy compliance.
Data for access will no longer be tolerated
In March 2019, the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), published guidance on “cookie walls”, which prevent the users from accessing a website unless they give their consent to cookies. The “data for access” business model – particularly related to third-party tracking cookies used for online behavioral profiling – is built on the consent that the users do not freely give. This is in clear violation of the provisions in the GDPR regarding online privacy.
According to the DPA, users must be offered the possibility to give freely and voluntary consent before tracking software such as cookies, pixels, and the site implements fingerprinting. Cookie walls do not give users a free choice to reject cookies, and other tracking technologies as the site will block the access.
What are the implications for the future?