As has been widely reported, in late January the French privacy supervisor CNIL fined Google €50 million for privacy violations relating to targeted marketing using Android user data. One of the core violations the CNIL found was that Google’s Android user interface did not obtain effective, GDPR-compliant consent to targeted marketing from users. The amount of the Google fine startled many companies, but with time the shock faded. Google was seen as a special case, and a number of companies began to presume that, while scrutiny of targeted online marketing may pick up, “we’re not Google or Facebook” – so that run-of-the-mill cookie and online-advertising practices would not create a significant enforcement risk in the near term.
This perception might require reevaluation. Today, the Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices. None of these companies appear to be in Google-style tech industries. The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a ‘tech industry issue,’ but instead a priority issue for companies irrespective of their industry – and one that can carry GDPR fine risk.
Background of the Bavarian DPA’s Cookie Practices Sweep
In an online publication, the Bavarian DPA today announced it had conducted a sweep of 40 large companies’ website cookie and user tracking practices. While the identities of these companies have not been published (as is common in Continental European agency investigations), the Bavarian DPA identified the industries in which the companies were active – and no company was identified as a technology or ‘tech’ company.
The spread of the Bavarian DPA’s investigation outside of the core tech sector is potentially significant from an enforcement-intentions standpoint, since the Bavaria is one of Germany’s leading economic regions with a strong venture-capital and technology sector. In other words, a tech focus could have been present had the Bavarian DPA wanted it. Additionally, the focus here was on cookie management by consumer-facing websites – an issue faced across industries – and not on back-end data uses or integrations with marketing partners.
Following its sweep, the Bavarian DPA today announced that none of the 40 companies it had audited had built GDPR-compliant cookie/tracking practices into their websites. As a result, the Bavarian DPA has announced it is considering GDPR fines.
Summary of the Findings of the Bavarian DPA’s Cookie Sweep
As a quick summary of the Bavarian DPA’s cookie sweep:
• The Bavarian DPA audited 40 “large websites”. The companies audited were from the following industries:
(a) Online retail;
(c) Banking & insurance;
(e) Automotive & electronics;
(f) Home and residential; and
• The sweep revealed that all 40 websites had integrated cookies or other “tracking tools”. While the Bavarian DPA leaves the term “tracking tools” largely undefined, it indicates they are provided by third parties and result in data being sent to these third party providers, such as pixels, beacons, or the like.
• The Bavarian DPA found that none of the 40 websites’ cookie practices were GDPR-compliant. It found the following violations:
- Websites lacked the transparency needed for “informed” cookie consent. 30 of the 40 audited websites did not provide sufficiently transparent disclosures to users regarding the website’s use of tracking technology. The Bavarian DPA indicates that providing users with ‘sufficiently transparent’ disclosures means: (a) individually identifying all cookies/trackers (and presumably the companies behind them); and (b) letting users know the specific purposes for which data collected by the identified cookies will be used.
- No “prior” consent was collected from users. The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent data to third-party cookie providers as soon as the user visited the website. Thus, “tracking occurs before the user can make a decision about whether he will permit such processing.” Only 1 out of 40 websites permitted the user to stop profiling using browser settings.
• In public announcements following this sweep, the Bavarian DPA announced it was considering GDPR fines for the website operators.
The larger point of the Bavarian DPA’s action is that cookie compliance appears to be becoming a front-burner issue for EU privacy regulators – and an issue that can generate fines. Yes, cookie consent law may be evolving. But regulators are starting to take it seriously, and companies should as well. A number of third-party cookie-management tools are available. Also, in most industries, companies can find participants that have implemented ‘templatable’ cookie management interfaces. Cookie compliance can be audited at any time in under 10 minutes, and companies who do not prioritize getting the basics right are exposing themselves to significant risk.
Thus, enforcement focus on cookie practices is perhaps unsurprising. Cookie banners are visible to consumers (and enforcers) as they enter a commercial website. Compared with back-end data practices (such as documentation of the purposes of processing), cookie banners can be easily evaluated by enforcement agencies, consumers, and privacy activists.
* * * * *
At Alston & Bird, our US- and Brussels-based Privacy & Data Security Practice is closely following the evolving GDPR enforcement environment in the EU Member States. We have significant experience advising on cookie compliance facing a number of European privacy regulators. For more information contact Jim Harvey, David Keating, Peter Swire, or Daniel Felz.