In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with respect to implementing GDPR-compliant cookies consent procedures. Recent cookies-related regulatory guidance, however, from the Dutch data protection authority, Autoriteit Persoonsgegevens (“Dutch DPA”), and the Bavarian data protection authority, Bayerisches Landesamt für Datenschutzaufsicht (“BayLDA”) sends a clear signal that companies should be taking a new approach with respect to cookies in 2019. In a previous post here, we discussed the UK Information Commissioner Office’s warning to the Washington Post for its practice of allowing free access to certain articles only if users consented to tracking cookies.
The Dutch DPA guidance
The Dutch DPA, in early March 2019, published guidance on “cookie walls,” which block a user’s access to the site unless they consent to cookies. This “data for access” model – particularly as it relates to tracking cookies used for online behavioral advertising (also known as interest-based advertising) – amounts to consent that is not freely given by users, in violation of the GDPR, according to the guidance.
The guidance reiterated that visitors must give prior consent to websites, freely and voluntarily, to implement “tracking software” such as cookies, tracking pixels or fingerprinting. Cookie walls do not provide visitors a free choice to allow cookies because they block access to the site unless the visitor accepts tracking. The Dutch DPA did clarify, however, that cookie walls are permitted in the context of using essential cookies which ensure “proper functioning of the website,” as well as cookies that are used for “general analysis of the visit on that site.”
The Dutch regulatory body released the statement after it received “dozens” of complaints from visitors who were denied access after refusing to accept the use of tracking cookies through a cookie wall. In addition to releasing this guidance, the Dutch DPA sent warning letters to an unspecified number of website owners that received the largest number of complaints. The DPA’s guidance did not identify any of these websites, the size of the companies or the industries involved, but its unqualified reference to “websites” may be an indication that it is casting a wide net.
The BayLDA report
BayLDA’s recent guidance is directed toward companies operating websites with standard cookies that track customers and users for interest-based advertising purposes, and comes with a warning: In a press release accompanying the report, the regulator indicated that it will begin imposing monetary fines for cookie compliance violations, especially by larger businesses.
BayLDA’s guidance was issued after the regulator conducted a study of 40 Bavarian websites to assess their compliance practices relating to tracking technologies used for interest-based advertising. The results? In a word, “dismal.” BayLDA found that none of the websites were compliant with respect to cookies consent management and indicated in its report that it may begin enforcement of cookie compliance in the near future. Because the sites analyzed by BayLDA spanned a range of industries – including e-commerce retailers (27.5%), media (17.5%), sports/athletics (12.5%), insurance and banking (12.5%), automobiles and electronics (10%), home and living (7.5%), and other (12.5%) – it is clear that regulators are considering the practices of all companies that operate ordinary websites, not just of those employing sophisticated advertising technologies.
The BayLDA report was commissioned in response to a reportedly “tremendous” number of privacy complaints about tracking tools and was limited to a simple audit that was conducted over a short period and review of the public-facing aspects of each site. With respect to cookies and tracking technologies, the audit focused on five key areas:
- Whether extensive user profiles were created from the data obtained from the cookie tracking tools:
All the investigated websites were found to include tracking cookies that collected data to be processed by third parties for interest-based advertising purposes. The cookies automatically collected data on the user’s surfing behavior once the user visited the sites, which was then sent to third parties in the digital advertising ecosystem for creation of user profiles, without the user being informed.
- Whether the user was adequately informed about the use of cookie tracking tools:
Only 10 of the websites fulfilled the cookie disclosure requirements by including in their privacy policies the required information: identity of all the embedded tracking tools on the site, names or categories of the third parties that would receive user information obtained from those tools, the types of data collected from the user, the purpose for which the data were collected, and for how long the data would be stored.
The remaining 30 websites audited did not include any information about the tracking tools on the site, or provided insufficient information by giving only general descriptions in their privacy policies of some tracking tools used.
- Whether cookie banners were used to obtain consent:
Thirty of the 40 websites used cookie banners in an attempt to obtain consent, though the specifics were found to be inadequate by BayLDA. The remaining websites did not use any cookie banner.
- Whether the consent obtained was effective under the GDPR:
BayLDA noted that, under the GDPR, consent is only effective if: (1) it is given in advance of any actual tracking (i.e., before the cookie is fired on the site), (2) the user is informed in advance about the data processing through tracking tools and (3) it is voluntarily given. In its investigation, BayLDA found that none of the websites audited received advance, informed and voluntary consents as required by the GDPR. As a result, BayLDA concluded that all the websites audited were using tracking tools unlawfully.
- Whether the user could prevent profiling by data obtained from the tracking tools through the website’s settings:
All but one website audited began tracking the user even before the user was presented with the opportunity to decide whether to allow the website to process his or her personal data. Only one website accepted the “do not track” browser setting and blocked any tracking scripts after the user chose the “do not track” option.
Implications for future enforcement
*Please note that this article (including quoted materials) is based on unofficial translations of the Dutch DPA’s and BayLDA’s guidance.