Public sector website
In June 2019 the European Data Protection Supervisor (EDPS) announced the results of an inspection of major EU bodies’ websites.
The inspection revealed that 7 out of 10 websites were not compliant with the General Data Protection Regulation (GDPR) or with the ePrivacy Directive (ePD). One of the main issues was third-party tracking without prior consent.
That is, most of the websites had third-party services installed which began collecting and processing (tracking) visitors’ personal data before the visitors had given any permission (cookie consent).
In response to the EDPS findings, all inspected EU institutions have acted to resolve the problems by significantly reducing the number of third-party trackers they use on their websites.
Giovanni Buttarelli of the EDPS states that:
“We have already received positive feedback from the inspected institutions concerning our recommendations and we expect to be able to confirm that all remaining issues are resolved in a follow-up inspection”.
Source: EDPS press release
First wave of inspections
For the first wave of inspections, the EDPS has selected ten public websites, including those of the European Parliament, the European Commission, the Court of Justice of the EU, Europol and the European Banking Authority, as well as the websites of the EDPS and European Data Protection Board (EDPB).
The EDPS inspection concerned the data protection compliance of public web services controlled by the EU institutions and bodies, assessing compliance with Regulation 2018/1725, the ePrivacy Directive 2002/57EC and the recommendations provided in the 2016 Guidelines on web services.
Next wave of inspections
The EDPS will monitor the efforts of the EU institutions inspected whether they will effectively bring down the number of third-party tracking services to a satisfactory level so EU citizens can expect not to have their data collected and processed without their consent.
The EDPS will also broaden their scope of inspections in the following months. The next wave of inspections will focus on the most visited websites of the EU institutions and bodies.
What is tracking?
Tracking of internet users’ online behavior is usually performed by the cookies AdTech companies set through websites that use their services (e.g. Google Analytics). When the user visits a website that uses for example Google Analytics to measure traffic on their site, Google stores a number of cookies in the users’ web browser to know which pages are visited, for how long, and where the user is off to next. Other than just providing this data to the owner of the website, Google also uses the information to profile users online for marketing purposes (e.g. Google Ads). The cookies used by Google also collect and process information about the user that is classified as personal information such as IP-addresses, online identifiers, device IDs, and other information that can directly or indirectly identify the user. According to the GDPR, collecting and processing personal data requires the users’ consent, and in most cases Google Analytics’ cookies are set before the user has given his or her consent (prior consent).
What can you do?
There are a few steps to test your website’s compliance with the GDPR and ePrivacy. Here is a short list to check your compliance:
- Do you have a cookie pop-up banner?
- Is it valid? Does it collect – and store – your visitors’ consents?
- Can your visitors reject cookies (opt-out)?
- Does your cookie consent solution block cookies prior to consent?
You can have one of our experts handcraft you a report tailored to your website to test your GDPR compliance. It is free and you get the report within 48 hours.
It is imperative with respect to EU legislation (GDPR) that you ask for your visitors’ consent to set tracking cookies (cookies that process personal data for marketing purposes); that you store consents in case of inspection by Data Protection Authorities; and that you give users the possibility to opt-out of tracking on your website creating a Tracking free zone.