Following numerous privacy complaints, the State Office for Data Protection Supervision (BayLDA) recently conducted a random audit on 40 companies and found widespread problems with their cookie disclosures. The purpose of the audit was to determine whether website users were able to obtain transparent information regarding the use and tracking of their information by third-party providers. Ultimately, the BayLDA found that all 40 companies were in violation of the GDPR.

Based on their findings, BayLDA announced it is considering fining these companies under GDPR provisions regarding website cookie and tracking practices. Since none of the audited companies was technology-focused, the BayLDA’s findings should serve as a warning to all companies, no matter their industry. Below, we highlight the main takeaways from the BayLDA audit.

All Companies Are At Risk

The BayLDA did not discriminate when it selected companies to audit. While major technology companies have been at the forefront of these compliance discussions, the BayLDA audit shows that no company is safe and that all companies are potentially subject to oversight and enforcement by Data Protection Authorities. This audit should be a warning to all companies that have yet to comply with GDPR.

Cookie Banners Beware

All companies should be especially aware of the BayLDA findings regarding the use of cookie banners. The audit found that most cookie banners were a mere interference, hindering the user-friendliness of the website’s services, and were wholly ineffective in protecting users from unknown tracking.

Transparency Requires More Than Common Naming Techniques

The BayLDA findings also call for transparency on a more granular level. In particular, disclosures must be more specific as to the kinds of cookies being used. BayDLA suggests identification of the actual cookie utilized, rather than broad descriptors such as  “performance” or “analytic” cookies. Many companies already provide this level of granular disclosure but many do not.

Affirmative Consent of Users Is Not Automatic

One of the more problematic findings reported by the BayLDA is that the majority of companies automatically dropped tracking cookies on users as soon as the user visited a company’s website. In the view of the BayLDA, the timing of the cookie drop means that no audited company obtained active consent from users prior to the cookie drop. Rather, user tracking began before the user could make an informed decision as to the collection and processing of its data. Even if browsing a website constitutes active consent—an issue that has not been clearly decided—such consent cannot reasonably inferred if tracking begins prior to the user’s continued browsing.  Meanwhile, the German Data Processing Authority has advised it will release guidance on cookies and consent in the future.

The rules governing the use of cookies, and cookie disclosures more generally, is one of the more complex and undecided areas of European privacy law. While the BayLDA’s audit does not rise to the level of formal guidance or regulation, the findings do point in the direction of an emerging consensus given the respect the BayLDA commands among EU data privacy regulators. If nothing else, US companies subject to the GDPR should pay careful attention to the findings and consider modest changes to their policies while formal guidance and regulation develops.