As has been widely reported, in late January the French privacy supervisor CNIL fined Google €50 million for privacy violations relating to targeted marketing using Android user data. One of the core violations the CNIL found was that Google’s Android user interface did not obtain effective, GDPR-compliant consent to targeted marketing from users. The amount of the Google fine startled many companies, but with time the shock faded. Google was seen as a special case, and a number of companies began to presume that, while scrutiny of targeted online marketing may pick up, “we’re not Google or Facebook” – so that run-of-the-mill cookie and online-advertising practices would not create a significant enforcement risk in the near term.
This perception might require reevaluation. Today, the Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices. None of these companies appear to be in Google-style tech industries. The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a ‘tech industry issue,’ but instead a priority issue for companies irrespective of their industry – and one that can carry GDPR fine risk.
Background of the Bavarian DPA’s Cookie Practices Sweep
In an online publication, the Bavarian DPA today announced it had conducted a sweep of 40 large companies’ website cookie and user tracking practices. While the identities of these companies have not been published (as is common in Continental European agency investigations), the Bavarian DPA identified the industries in which the companies were active – and no company was identified as a technology or ‘tech’ company.
The spread of the Bavarian DPA’s investigation outside of the core tech sector is potentially significant from an enforcement-intentions standpoint, since the Bavaria is one of Germany’s leading economic regions with a strong venture-capital and technology sector. In other words, a tech focus could have been present had the Bavarian DPA wanted it. Additionally, the focus here was on cookie management by consumer-facing websites – an issue faced across industries – and not on back-end data uses or integrations with marketing partners.
Following its sweep, the Bavarian DPA today announced that none of the 40 companies it had audited had built GDPR-compliant cookie/tracking practices into their websites. As a result, the Bavarian DPA has announced it is considering GDPR fines.
Summary of the Findings of the Bavarian DPA’s Cookie Sweep
As a quick summary of the Bavarian DPA’s cookie sweep:
• The Bavarian DPA audited 40 “large websites”. The companies audited were from the following industries:
(a) Online retail;
(b) Sports;
(c) Banking & insurance;
(d) Media;
(e) Automotive & electronics;
(f) Home and residential; and
(g) Other.
• The sweep revealed that all 40 websites had integrated cookies or other “tracking tools”. While the Bavarian DPA leaves the term “tracking tools” largely undefined, it indicates they are provided by third parties and result in data being sent to these third party providers, such as pixels, beacons, or the like.
• The Bavarian DPA found that none of the 40 websites’ cookie practices were GDPR-compliant. It found the following violations:
- Websites lacked the transparency needed for “informed” cookie consent. 30 of the 40 audited websites did not provide sufficiently transparent disclosures to users regarding the website’s use of tracking technology. The Bavarian DPA indicates that providing users with ‘sufficiently transparent’ disclosures means: (a) individually identifying all cookies/trackers (and presumably the companies behind them); and (b) letting users know the specific purposes for which data collected by the identified cookies will be used.
- No “prior” consent was collected from users. The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent data to third-party cookie providers as soon as the user visited the website. Thus, “tracking occurs before the user can make a decision about whether he will permit such processing.” Only 1 out of 40 websites permitted the user to stop profiling using browser settings.
- The consent obtained was not sufficiently “active”. The Bavarian DPA’s position is that cookies and “tracking scripts” should be blocked until “the user has actively consented.” The Bavarian DPA noted that most of the 40 websites used cookie banners to inform users about their use of cookies, and that none of these banners resulted in effective consent being collected from the user. It is unclear what the DPA is communicating here; prior to the GDPR, most jurisdictions and the Article 29 Working Party viewed significant interaction with a website as giving rise to implied, but still legally effective ‘active’ consent. It may be that none of the websites integrated a cookie-blocking function prior to ‘consent events’ being logged.
• In public announcements following this sweep, the Bavarian DPA announced it was considering GDPR fines for the website operators.
As with the CNIL’s Google decision, the Bavarian DPA’s action raises significant questions as to what the post-GDPR law of cookie consent is. Cookie consent requirements come from the EU’s ePrivacy Directive. As we reported in detail in an earlier Bloomberg article, Germany’s ePrivacy implementing statutes – which are still on the books – expressly permit websites to use cookies without obtaining prior user consent, as long as they offer an opt-out. However, the German DPAs are reading the GDPR as invalidating these statutes, and are now attempting to implement their own, revised standards for cookies and online tracking. As we point out, these agency-led attempts at tightening cookie consent law are not without significant criticism. But companies will have to engage with them, and many companies’ cookie practices are in any case often not compliant even with pre-GDPR cookie standards.
The larger point of the Bavarian DPA’s action is that cookie compliance appears to be becoming a front-burner issue for EU privacy regulators – and an issue that can generate fines. Yes, cookie consent law may be evolving. But regulators are starting to take it seriously, and companies should as well. A number of third-party cookie-management tools are available. Also, in most industries, companies can find participants that have implemented ‘templatable’ cookie management interfaces. Cookie compliance can be audited at any time in under 10 minutes, and companies who do not prioritize getting the basics right are exposing themselves to significant risk.
Thus, enforcement focus on cookie practices is perhaps unsurprising. Cookie banners are visible to consumers (and enforcers) as they enter a commercial website. Compared with back-end data practices (such as documentation of the purposes of processing), cookie banners can be easily evaluated by enforcement agencies, consumers, and privacy activists.
* * * * *
At Alston & Bird, our US- and Brussels-based Privacy & Data Security Practice is closely following the evolving GDPR enforcement environment in the EU Member States. We have significant experience advising on cookie compliance facing a number of European privacy regulators. For more information contact Jim Harvey, David Keating, Peter Swire, or Daniel Felz.