The Irish Data Protection Commission (DPC), the privacy watchdog of the EU, has put forward its most recent piece of evidence to suggest that the use of cookies and internet tracking tools continue to defy General Data Protection Regulation (GDPR) guidelines.
This was revealed in a recent report by the organization, published on 6 April 2020, which conducted a ‘cookie sweep’ to observe how cookies and similar technologies on a selection of popular websites in Ireland were being used.
Overview: Surveying cookies
The DPC’s sweep of cookies across the internet was carried out between August and December of last year and involved a questionnaire that was sent out to 40 Irish organizations across a host of sectors. These ranged from media and publishing houses to retail stores, and from restaurants and food ordering services to insurance providers and sport and leisure companies.
Public sector organizations were also included in the survey.
According to the DPC, this was done was to “request information” that would allow them to “establish how, and whether, organizations are complying with the law.”
They add that, in particular, the DPC was also seeking to “examine how controllers obtain the consent of users for the use of cookies and other tracking technologies.”
In spite of the scope of the survey, however, the DPC nevertheless stressed that the sweep was not an “examination” of the AdTech industry or the real-time bidding advertising framework. The watchdog did point out, however, that it was “evident” from the survey that advertising technology and internet tracking remain as the “core” to the business models of many of the websites they examined.
Key findings relating to internet tracking
The DPC’s survey uncovered a number of relevant findings which shed light on how internet tracking and cookie use oftentimes does not align with GDPR guidelines:
- Most websites either offer users a “lack of clarity” as to how withdraw cookie choices can be withdrawn at a later stage or offer no choice at all.
- In “almost all” of the websites surveyed, non-essential cookies had been set into the landing page, often seeing users consent to internet tracking without their knowledge.
- A “majority” of organizations miscategorized certain cookies as being “necessary” or “strictly necessary” when the DPC deemed this not to be the case.
- Some websites made use of poor consent management platform designs. This, according to the DPC, can require consent for internet tracking in a way that is “deliberately misleading”.
- Over a quarter (26%) of the websites offered pre ticked boxes for cookie consent, including for purposes of marketing and analytics.
- Two-thirds of the organizations rely on either implied consent (e.g. such phrasing as ‘by continuing to use this site you consent to the use of cookies’) or giving the user responsibility for cookie control (e.g. via browser settings), or both.
- Cookie consent was “bundled” for most websites surveyed, meaning that users were unable to provide consent to particular purposes for which cookies were being used.
Interestingly, a sizeable minority (39%) of organizations whose websites were surveyed told the DPC that they had been aware of the fact that they might have been noncompliant, or that they had identified improvements to this effect.
In spite of this, the watchdog pointed out that it was “clear from some responses” that even significant improvements proposed “may not serve to bring them into full compliance.”
DPC offers guidance
In spite of widespread and irrefutable defiance of GDPR guidelines, the Irish DPC nevertheless opted away from taking strong measures, instead choosing to offer guidance on the best course of action they believe ought to be followed.
This came in the form of a set of guidelines for the use of cookie tools and internet tracking which, in essence, maps out onto existing GDPR laws.
However, in offering its guidance, the DPC nevertheless attaches a strong caveat, pointing out that organizations (referred to as ‘data controllers’) are expected to comply with the current cookie law rules within a six-month period of grace, taking enforcement action into its own hands.
“Where controllers fail to voluntarily make changes to their user interfaces and/or their processing,” the watchdog warns, “the DPC has enforcement options available under both the ePrivacy Regulations and the GDPR and will, where necessary, examine the most appropriate enforcement options in order to bring controllers into compliance with the law.”
A larger picture
The DPC’s report serves as just the latest in a spate of warnings to European organizations for their use of internet tracking.
For months, for example, the UK’s Information Commission’s Office (ICO) has been warning about “illegal profiling” of internet users from the AdTech industry, prompted by a report from June 2019 that pointed to evidence of this occurring on a large scale.
However, as of yet, the ICO has taken no action to this effect, leading, in part, to internet tracking remaining a pervasive threat to users’ safety online.