Servus aus München!
Further to the CNIL fining Google in late January, which sparked much debate in the privacy community across Europe, February also saw some regulatory echoes in Germany through the Bavarian Data Protection Authority, which announced it was considering fining several companies under the GDPR for their website cookie practices. Following a sweep of website cookie and tracking practices of 40 large companies, the DPA said that none of the companies it audited had built GDPR-compliant tracking practices into their websites. The DPA found the following violations: 1.) websites lacked the transparency needed for “informed” cookie consent; 2.) no “prior” consent was collected from users; and as such 3.) consent obtained was not sufficiently “active.”
As a backdrop, with IP addresses in combination with date and time stamps already considered personal data under the GDPR, German DPAs had already taken the position that only anonymous website tracking was legally admissible without prior consent of visitors.
Pseudonymized web-tracking tools (especially retargeting) under the law prior to the GDPR used to be essentially “privacy compliant” if the website provided an opt-out. However, under the GDPR, German DPAs concluded that every tracking mechanism that builds profiles of website visitors — even if based on pseudonymized data — would require prior consent of the website users. This decision was widely criticized by multiple stakeholders, as many argued this type of tracking would, or should, be permissible using legitimate interest as the processing basis. German companies therefore broadly disregarded the statement of the German DPAs.
The Bavarian DPA has now decided to start enforcing web tracking. Moreover, it is also expected that the DPAs will develop automated tools to check larger numbers of websites in the future; companies need to be aware of this measure.
Special scrutiny was also given to “cookie notices,” which were deemed lacking. In what concerns consent, users were not provided with choice, whether they would accept pseudonymized or personalized tracking, or whether they would prefer to visit the website anonymously. The authority also stated that tracking in most cases was “active” just by visiting the website, regardless of whether the user had clicked on the cookie notice or not.
According to one local provider of a consent management platform here in Germany, typically 50 to 70 percent of users would explicitly allow the use of pseudonymized or personalized tracking tools. With this in mind, and following the legal stance taken by the German DPAs, companies would lose up to 30 to 50 percent of insight and retargeting capability of their website traffic. This might not be as critical for some B2B companies; however, for the B2C sectors, this could be of business-critical impact. We may well expect to see the decision being challenged in German courts at some point in time.
Interestingly, back in December 2018, the Austrian DPA stated that a website provider had the right to differentiate between a “tracking-free” website for paying customers and an alternative free offer with imposed tracking capabilities. We may see this being leveraged by the European Data Protection Board in future guidance or statements. In the meantime, companies would do well to change their tracking policies and switch to consent management platforms to mitigate risk or at least do a proper risk assessment for the continued tracking based on legitimate interest.
If you want to comment on this post, you need to login.