National authorities tighten grip on companies’ cookie practices and lack of GDPR compliance

National authorities tighten grip on companies’ cookie practices and lack of GDPR compliance

New investigations by the Bavarian LDA and Dutch DPA on companies’ cookie consent practices and GDPR compliance is a clear indication that EU authorities are increasing their focus on companies’ use of online tracking technologies.

#GDPR #Compliance #Tracking #Cookie

With little or no cookie-related enforcement by national regulators against website owners, many companies, e-commerce and ordinary websites have taken a “wait and see” approach to applying GDPR compliant cookie consent procedures on their websites.

However, things are beginning to stir within national authorities. New investigations and guidance on cookie-practices by the Dutch and Bavarian (Germany) data protection authorities send a clear message to companies, that in 2019 they should begin take the GDPR seriously with respect to cookies and tracking.

Companies track its users without their freely given consent

In January 2019 the Bavarian data protection authority, Bayerisches Landesamt für Datenschutzaufsicht (Bavarian LDA), released a guidance directed toward companies with websites that use cookies to track customers for online behavioral profiling and marketing purposes.

The guidance was the result of a study conducted on 40 Bavarian websites across a range of industries to assess their compliance practices relating to tracking technologies used for personal advertising.

The results were shocking. None of the 40 websites were GDPR-compliant with respect to cookie consent management and all 40 websites were storing third-party tracking cookies before consent was given by the user.

Specifically, the LDA found:

  • All websites used third-party tracking cookies for marketing purposes.
  • 75% of websites did not include any information about tracking technologies on their sites and provided insufficient information about tracking in policies.
  • 75% of websites used cookie banners in an attempt to obtain consent, however, the information provided in these were deemed inadequate.
  • None provided users with the opportunity to give an informed, voluntary and affirmative consent.
  • All but one began tracking before a valid consent was obtained (as required by the GDPR recital 32).

Because the analysis was carried out across industries, the Bavarian LDA concluded that the poor state of cookie compliance and clandestine use of tracking technologies probably would comprise all companies, not just those using sophisticated advertising technologies.

Following the release of the guidance, the LDA implied it would start issuing monetary fines for lack of cookie and privacy compliance.

Data for access will no longer be tolerated

In March 2019 the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), published a guidance on “cookie walls”, which prevent the users from accessing a website unless they give their consent to cookies. The “data for access” business model – which relate particularly to third-party tracking cookies used for online behavioral profiling - is built on consent that is not freely given by the users. This is in clear violation of the provisions in the GDPR regarding online privacy.

According to the DPA, users must be offered the possibility to give freely and voluntary consent before tracking software such as cookies, pixels and fingerprinting are implemented by the site. Cookie walls do not give users a free choice to reject cookies and other tracking technologies as the site will block the access.

Future implications?

The investigations and guidance by both the DPA and LDA are clear indications that EU-regulators and national authorities are increasing their focus on companies’ consent practices relating to the use of cookies and other tracking technologies. The take-it-or-leave-it cookie walls will not be tolerated unless used for strictly necessary cookies. Furthermore, companies with tracking cookies on their website will have to comply with GDPR as soon as possible. In January the French Data Protection Authority (CNIL) fined tech-giant Google 50 million Euros for lack of transparency and lack of a valid consent concerning personalization of ads.

Link: CNIL fines Google 50 million euros for violating the GDPR

How to get 100% cookie compliant?

There are a range of options for company websites to become completely GDPR compliant regarding cookie practices.

First of all, the visitor must always be properly informed of which cookies and tracking technologies the websites uses and stores in the visitor’s browser.

Link: Inform users with a proper consent solution

Second, the website must prevent cookies that collect and process personal information (tracking cookies) from being stored before the user has provided a freely given and explicit consent. In essence this means, that silence, pre-ticked fields or inactivity do not constitute consent in the GDPR!

Link: How to prevent cookies from being set before consent

Third, the user must be able to alter or withdraw the cookie consent, and it must be a as easy as giving the consent.

Link: Checklist to collect a valid cookie consent in the era of the GDPR

Would you like to learn more about how your company can take an active approach to comply with GDPR and cookies on your website?

Visit Cookie Information today. We have a wide variety of cookie compliance solutions which can be tailored specifically to your company needs.

About Cookie Information

Cookie Information is a Privacy Tech Company specialized in developing software that helps you and your company ensure that your websites and mobile apps are GDPR & ePrivacy compliant. Cookie Information provides solutions globally, and we help more than 1.000 companies and handle more than 6 billion consents each year. Visit Cookie Information