EU flags own websites for unlawful cookie use

EU inspection reveals several EU institutions’ websites are not compliant with the GDPR or ePrivacy Directive. Main issue is third-party tracking without prior consent. The EDPS says inspections will continue in the months to come. See our GDPR compliant checklist.
Table of Contents

Public sector website

In June 2019, the European Data Protection Supervisor (EDPS) announced the results of an inspection of major EU bodies’ websites.
The inspection revealed that 7 out of 10 websites were not compliant with the General Data Protection Regulation (GDPR) or the ePrivacy Directive (ePD). One of the main issues was third-party tracking without prior consent.
Most websites had third-party services installed, which began collecting and processing (tracking) visitors’ data before the visitors had given any permission (cookie consent).
In response to the EDPS findings, all inspected EU institutions have acted to resolve the problems by significantly reducing the number of third-party trackers they use on their websites.
Giovanni Buttarelli of the EDPS states that:
“We have already received positive feedback from the inspected institutions concerning our recommendations and we expect to be able to confirm that all remaining issues are resolved in a follow-up inspection”.

The first wave of inspections

For the first wave of inspections, the EDPS has selected ten public websites, including those of the European Parliament, the European Commission, the Court of Justice of the EU, Europol, and the European Banking Authority, as well as the websites of the EDPS and European Data Protection Board (EDPB).
The EDPS inspection concerned the data protection compliance of public web services controlled by the EU institutions and bodies, assessing compliance with Regulation 2018/1725, the ePrivacy Directive 2002/57EC, and the recommendations provided in the 2016 Guidelines on web services.

Next wave of inspections

The EDPS will monitor the efforts of the EU institutions and inspect whether they will effectively bring down the number of third-party tracking services to a satisfactory level so EU citizens can expect not to have their data collected and processed without their consent.
The EDPS will also broaden its scope of inspections in the following months. The next wave of inspections will focus on the most visited websites of the EU institutions and bodies.

What is tracking?

Tracking of internet users’ online behavior is usually performed by the cookies AdTech companies set through websites that use their services (e.g., Google Analytics). When the user visits a website that uses, for example Google Analytics to measure traffic on their site, Google stores a number of cookies in the user’s web browser to know which pages are visited, for how long, and where the user is off to next. Besides just providing this data to the website owner, Google also uses the information to profile users online for marketing purposes (e.g., Google Ads). The cookies used by Google also collect and process information about the user that is classified as personal information, such as IP addresses, online identifiers, device IDs, and other information that can directly or indirectly identify the user. According to the GDPR, collecting and processing personal data requires the users’ consent. In most cases, Google Analytics cookies are set before the user has given consent (prior consent).

What can you do?

There are a few steps to test your website’s compliance with the GDPR and ePrivacy. Here is a shortlist to check your compliance:
  • Do you have a cookie pop-up banner?
  • Is it valid? Does it collect – and store – your visitors’ consents?
  • Can your visitors reject cookies (opt-out)?
  • Does your cookie consent solution block cookies prior to consent?
  • Do you have a cookie policy?
You can have one of our experts handcraft you a report tailored to your website to test your GDPR compliance. It is free, and you get the report within 48 hours.
It is imperative with respect to EU legislation (GDPR) that you ask for your visitors’ consent to set tracking cookies (cookies that process personal data for marketing purposes); that you store consent in case of inspection by Data Protection Authorities; and that you give users the possibility to opt-out of tracking on your website creating a tracking free zone.