BayLDA - Activity Report 2017/18: Bavarian authority advises to obtain explicit, active consent for cookies
The Bavarian State Office for Data Protection Supervision (BayLDA) published its 8th activity report in March and informed the public in detail about the focus of its work. The Activity Report 2017/18 deals in particular with the complaints and data protection incidents in the years 2017 and 2018 - across all areas.
Dramatic increase in complaints in 2018
According to the Authority, since the GDPR came into effect at the end of May 2018, the number of complaints has more than doubled compared to the previous year: The number of complaints rose to 3643 in 2018.*
In addition, there may be an increase in perceived consultations as well as reports of data breaches. The BayLDA states:
"A total of 2471 reports were received in 2018 - as many as 2376 of them since May 25, 2018. This is an absolute record in our history as a Bavarian Supervisory Authority."
In the previous year, the value of data breaches was 136. The Authority anticipates a further increase in such notifications in 2019 and 2020.
* However, it should be noted that so-called non-credible complaints were also counted, i.e complaints in which an infringement could not be justified. As of next year, these are summarized under the term "control suggestions" and no longer included in the analysis of the complaints.
The duty to inform under GDPR applies to all website operators
In its activity report from 2017/18, the Bavarian State Office for Data Protection Supervision continues to clarify how data protection declarations must be implemented. Although the GDPR does not lay down a fixed wording or prescribed wording, the Authority determines that all information has to be made available on the website in a precise, transparent, understandable and easily accessible form in a clear and simple language“(Article 12, 1 GDPR)
Basically, the privacy statements therefore serve to ensure fair and transparent processing. The BayLDA confirms that the information obligation affects every website operator. Therefore the user needs to be informed directly when entering a website that his or her IP address is being processed, as it is required as control information for the transmission of information between the service provider (or the hosting of the website hosting company) and the user.
The information requirement can be neglected if the IP address is not forwarded by the hosting company to the service provider and there is no possibility of retrieval by the service provider. The BayLDA then checks this special case according to the following criteria: BayLDA Info sheets
Cookies require a GDPR-compliant consent
Even the well-known cookie banners should ask for the users’ consent GDPR- compliantly and inform about the processing of the data. In its report, the BayLDA states that a "variety of cookie banners (...) does not meet the data protection requirements".
Furthermore, the Authority points out that effective consent is only valid if actively consented, which means that choices must not be preset in the cookie banner.
In addition, cookie banners must first block all scripts on a website (or an app) that could potentially capture user data.
The BayLDA checked exactly these requirements for a GDPR-compliant consent on the occasion of the Safer Internet Day 2019 on 40 high-reach corporate websites - with the result that none of these websites collects consent compliantly. For the affected websites, this has consequences in the form of possible fine proceedings. Learn more: BayLDA Tracking Analysis
Tracking only allowed with an active user consent
Another way of identifying users and their behavior is browser fingerprinting. A unique hash value is generated in a browser that includes basic values (operating system, software version) as well as features (fonts installed on the PC, etc.). Browser fingerprinting allows user profiling with user not having many options for taking countermeasures.
The BayLDA therefore only advocates the use of browser fingerprinting technologies with prior explicit and active consent of the user:
We believe that the use of browser fingerprinting technologies is only permitted with the consent of users. Providers that use this technology can not protect themselves due to a balance of interests under Article 6 (1) (f) of the GDPR, as the users' interests are clearly outweighed by this.
For this reason, the authority will evaluate in cooperation with the Department of IT Security Infrastructures of the Friedrich-Alexander University of Erlangen-Nuremberg, whether the use of browser fingerprinting technologies can be detected by automatic testing methods. If the test procedure reveals the use of browser fingerprinting technologies without the GDPR-compliant consent of the user, the BayLDA plans, in addition to supervisory measures, the initiation of fine proceedings.
Fine proceedings in 2017/2018 still at a low level
During the 2017/2018 reporting period, the BayLDA processed 216 fine proceedings across all areas - however, in just 10 cases a fine was actually issued.
Will there be an opt-in obligation for cookies?
Fines have been increasing in Europe since the beginning of the year as a result of GDPR violations: the 50 million euros fine against Google by the French Data Protection Authority CNIL in January and pending lawsuits against 40 high-reach websites by the Bavarian State Office for Data Protection Supervision (BayLDA) in February. In both cases, user consent was not lawfully obtained.
A recent report by the ECJ Advocate General and the practice of AdTech giants like Google and Facebook come to the same conclusion: When using cookies, website providers need the active, prior and granular consent of the user.
For website operators, this has a huge impact and requires immediate action. Opt-in will sooner or later become a "must-have" for website operators. Therefore, it is important for companies to remain vigilant, to observe the developments and to check at an early stage how to leverage consent management. Consent Management Platforms (CMPs) support the technological implementation of all requirements for GDPR-compliant consent management.