eDiscovery Daily Blog

In Today’s Privacy Environment, That’s the Way the (Website) Cookie Crumbles: Data Privacy Trends

It’s only been three weeks, but we’ve already talked plenty about the first big GDPR fine of €50 million (or about $56.8 million) fine to Google for failing to comply with GDPR.  Sure, you’re thinking “that’s Google, I can see how they got fined, but nothing to worry about here”.  Right?  Well, you may want to think again.

As covered in Alston & Bird’s Privacy and Data Security Blog (Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration, written by Daniel Felz; hat tip to Rob Robinson’s Complex Discovery blog for the link), last week, the Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices.  None of these companies appear to be in Google-style tech industries.  The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a ‘tech industry issue,’ but instead a priority issue for companies irrespective of their industry – and one that can carry GDPR fine risk.

In an online publication, the Bavarian DPA announced it had conducted a sweep of 40 large companies’ website cookie and user tracking practices.  While the identities of these companies have not been published (as is common in Continental European agency investigations), the Bavarian DPA identified the industries in which the companies were active – and no company was identified as a technology company.  Following its sweep, the Bavarian DPA announced that none of the 40 companies it had audited had built GDPR-compliant cookie/tracking practices into their websites.  As a result, the Bavarian DPA has announced it is considering GDPR fines.  The companies audited were from industries ranging from online retail to sports to banking & insurance to media, even automotive & electronics and home and residential.

The Bavarian DPA found the following violations:

  1. Websites lacked the transparency needed for “informed” cookie consent. 30 of the 40 audited websites did not provide sufficiently transparent disclosures to users regarding the website’s use of tracking technology;
  2. No “prior” consent was collected from users. The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent data to third-party cookie providers as soon as the user visited the website;
  3. The consent obtained was not sufficiently “active”. The Bavarian DPA’s position is that cookies and “tracking scripts” should be blocked until “the user has actively consented.” The interesting thing here is that the Bavarian DPA noted that most of the 40 websites used cookie banners to inform users about their use of cookies, but that none of these banners resulted in effective consent being collected from the user.  As the article notes, it may be that none of the websites integrated a cookie-blocking function prior to ‘consent events’ being logged.

As the article notes, the larger point of the Bavarian DPA’s action is that cookie compliance appears to be becoming a front-burner issue for EU privacy regulators – and an issue that can generate fines.  Which means it should probably be a front-burner issue with companies out there as well.  Oh, and by the way, Alston & Bird’s blog also has a countdown to the effective date of the California Consumer Privacy Act (CCPA) — 328 days and counting by the time you read this, so get ready for more compliance challenges in the future.

So, what do you think?  Will this change how companies implement tracking cookies in their websites?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.