The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used third-party tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent.

With regard to transparency, the Bavarian DPA found:

  • 25% of the audited websites included information on tracking tools in their privacy policies.
  • 75% of the audited websites included no or insufficient information in their privacy policies. Most of the website providers did not disclose information about tracking tools at all or just provided general information about a variety of tracking tools that were sometimes not even used on that specific website.

With regard to consent, the Summary Report states:

  • 20% of the audited websites did not obtain consent to the use of tracking tools at all.
  • 80% of the audited websites obtained consent, but the consent did not comply with data protection law. The consents did not comply with the ‘prior’, ‘informed’ or ‘freely given’ requirements.

Comment

The Bavarian DPA only provided an executive summary–style report, without disclosing any details on the reasons for noncompliance or the next steps it will take. However in a press release accompanying the Summary Report (available here), Thomas Kranig, president of the Bavarian DPA, stated: “We have decided to remedy the defects [concerning tracking tools] and to review whether fines should be issued. We expect major organisations in particular to comply with the legal requirements.” The audit by the Bavarian DPA and the Position Paper highlight that tracking tools are currently on top of the list of the German supervisory authorities, and organisations must ensure that they comply, particularly with the transparency and consent requirements.

However, there is no unified approach by the European supervisory authorities yet. Some of the other European supervisory authorities seem still to accept opt-out consent. This situation needs clarification and a joint approach taken by the European supervisory authorities. Obviously a guidance paper by the European Data Protection Board would be helpful at this point. Such a guidance paper has, however, not yet been announced.