As has been widely reported, in late January the French privacy supervisor CNIL fined Google €50 million for privacy violations relating to targeted marketing using Android user data. One of the core violations the CNIL found was that Google’s Android user interface did not obtain effective, GDPR-compliant consent to targeted marketing from users. The amount of the Google fine startled many companies, but with time the shock faded. Google was seen as a special case, and a number of companies began to presume that, while scrutiny of targeted online marketing may pick up, “we’re not Google or Facebook”—so that run-of-the-mill cookie and online-advertising practices would not create a significant enforcement risk in the near term.
This perception might require reevaluation. The data protection authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices. None of these companies appear to be in Google-style tech industries. The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a “tech industry issue,” but instead a priority issue for companies irrespective of their industry—and one that can carry the risk of a GDPR fine.
Background of the Bavarian DPA’s Cookie Practices Sweep
In an online publication, the Bavarian DPA yesterday announced it had conducted a sweep of 40 large companies’ website cookie and user tracking practices. While the identities of these companies have not been published (as is common in Continental European agency investigations), the Bavarian DPA identified the companies’ industries—and no company was identified as a technology company.
The spread of the Bavarian DPA’s investigation outside the core tech sector is potentially significant from an enforcement-intentions standpoint, since Bavaria is one of Germany’s leading economic regions with a strong venture-capital and technology sector. In other words, a tech focus could have been present had the Bavarian DPA wanted it. Additionally, the focus here was on cookie management by consumer-facing websites—an issue faced across industries—and not on back-end data uses or integrations with marketing partners.
Following its sweep, the Bavarian DPA announced that none of the 40 companies it had audited had built GDPR-compliant cookie/tracking practices into their websites. As a result, the Bavarian DPA has announced it is considering GDPR fines.
Summary of the Bavarian DPA’s Cookie Sweep
The Bavarian DPA audited 40 “large websites.” The companies audited were from the following industries:
- Online retail
- Sports
- Banking & insurance
- Media
- Automotive & electronics
- Home and residential
- Other
The sweep revealed that all 40 websites had integrated cookies or other “tracking tools.” While the Bavarian DPA leaves the term “tracking tools” largely undefined, it indicates they are provided by third parties and result in data being sent to these third-party providers, such as pixels, beacons, or the like.
The Bavarian DPA found that none of the 40 websites’ cookie practices were GDPR-compliant. It found the following violations:
- Websites lacked the transparency needed for “informed” cookie consent. Thirty of the 40 audited websites did not provide users with sufficiently transparent disclosures about the website’s use of tracking technology. The Bavarian DPA indicates that providing users with sufficiently transparent disclosures means: (1) individually identifying all cookies/trackers (and presumably the companies behind them); and (2) letting users know the specific purposes for which data collected by the identified cookies will be used.
- No “prior” consent was collected from users. The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent to third-party cookie providers as soon as the user visited the website. Thus, “tracking occurs before the user can make a decision about whether he will permit such processing.” Only 1 out of 40 websites permitted the user to stop profiling using browser settings.
- The consent obtained was not sufficiently “active.” The Bavarian DPA’s position is that cookies and “tracking scripts” should be blocked until “the user has actively consented.” The Bavarian DPA noted that most of the 40 websites used cookie banners to inform users about their use of cookies—and found that none of these banners resulted in effective consent being collected from the user. It is unclear what the DPA is communicating here; before the GDPR was passed, most jurisdictions and the Article 29 Working Party viewed significant interaction with a website as giving rise to implied, but still legally effective, “active” consent. It may be that none of the websites integrated a cookie-blocking function prior to consent events being logged. The conference of German DPAs is expected to publish a paper on online tracking, which may provide more insight into their position on “active” implied cookie consent under the GDPR.
In public announcements following this sweep, the Bavarian DPA announced it was considering GDPR fines for the website operators.
As with the CNIL’s Google decision, the Bavarian DPA’s action raises significant questions about what the post-GDPR law of cookie consent is. Cookie consent requirements come from the EU’s ePrivacy Directive. As we reported in detail for Bloomberg, Germany’s ePrivacy implementing statutes—which are still on the books—expressly permit websites to use cookies without obtaining prior user consent, as long as they offer an opt-out. However, the German DPAs are reading the GDPR as invalidating these statutes, and are now attempting to implement their own, revised standards for cookies and online tracking. As we point out, these agency-led attempts at tightening cookie consent law are not without significant criticism. But companies will have to engage with them, and many companies’ cookie practices are in any case often not compliant even with pre-GDPR cookie standards.
The larger point of the Bavarian DPA’s action is that cookie compliance appears to be becoming a front-burner issue for EU privacy regulators—and an issue that can generate fines. Yes, cookie-consent law may be evolving. But regulators are starting to take it seriously, and companies should as well. A number of third-party cookie-management tools are available. Also, in most industries, companies can find participants that have implemented “templatable” cookie-management interfaces. Cookie compliance can be audited at any time in under 10 minutes, and companies that do not prioritize getting the basics right are exposing themselves to significant risk.
Enforcement focus on cookie practices is perhaps unsurprising. Cookie banners are visible to consumers (and enforcers) as they enter a commercial website. Compared with back-end data practices (such as documentation of the purposes of processing), cookie banners can be easily evaluated by enforcement agencies, consumers, and privacy activists.