The Bavarian Data Protection Authority (“BDPA”) took the “safer internet day” in February 2019 as an opportunity to conduct privacy checks on website operators. The focus was on “cybersecurity” (in particular, password security) and “tracking” and the outcome is rather disillusioning, according to the BDPA. The BDPA stated that necessary security measures were not implemented and none of the cookie banners obtained valid consent. The BDPA announced it would conduct further checks via written procedures or even by on-site inspections to validate the quick check results and assess whether further actions must be taken. In those cases where the BDPA is not competent, the BDPA will consider reaching out to competent lead supervisory authorities where necessary so that they can provide their insights.
Here are the main results of the BDPA’s checks and practical advice on what companies should consider when setting up their websites.
Results of the Assessment Concerning Password Security
The targets of the BDPA were 20 website operators known for their wide reach, according to the BDPA. The website operators’ lines of business ranged from social network providers and video streaming portals to online shops.
The BDPA stated that the 20 website operators showed the following vulnerabilities:
- HTTPS encoding appears to be standard, but in some cases old protocols were still supported, leading to a lower security level.
- None of the companies required the use of strong passwords. In some cases even very weak ones such as “123456”, “password” or even “000000” were accepted.
- 75% of the targets did not provide indicators assessing the security level of the password. In those cases where such indicators were provided, oftentimes the indicators showed an inadequate assessment (i.e., stating that the selected password is a strong one even though it was a rather weak password).
- Additional security measures and help options to protect the accounts were only provided by a very limited number of businesses.
- In 50% of the cases, a registration for a service was possible without the owner of the e-mail address used being aware of such registration (as no message was sent to the e-mail address concerning the registration). Only 25% required a confirmation of the registration by e-mail.
- Only 1 out of 20 websites informed users about failed log-in attempts.
- Only 25% of the services offered a feature enabling the user to see all active sessions.
Results of the Assessment Concerning Tracking
Forty large Bavarian companies had been reviewed for the purpose of identifying whether they transparently provided the required information and obtained valid consent for the use of third-party tracking technology, in particular cookies.
In the view of the BDPA, the results were disappointing:
- Regarding the validity of the tracking consent, the BDPA checked whether (i) prior consent was received (i.e., tracking scripts were blocked until active consent was provided), (ii) the consent was given on an informed basis and (iii) the consent was given voluntarily. According to the BDPA, the results were that out of the 40 websites checked, only 8 obtained prior consent, 4 provided sufficient information and 8 obtained consent on a voluntary basis. The BDPA stated that none of the websites fulfilled all of these requirements and, as a result, none obtained valid consent.
- The BDPA stated that the cookie banners in most cases not only interfered with the user friendliness of the services, but are also completely ineffective in protecting against tracking.
According to the BDPA, none of the websites prevented the tracking of visitors, and none fulfilled the requirements for a valid consent.
Lessons to be learned:
Unfortunately, the BDPA did not specify further why transparency requirements had not been met, what degree of granularity is required to inform the customers adequately, or what is required to obtain voluntary consent. Nevertheless, the BDPA’s approach gives some insights on what supervisory authorities focus on and what companies can consider doing to reduce enforcement risks:
- Supervisory authorities focus on end-consumer businesses. This especially holds true for services targeting younger audiences. B2C companies should thus have a particular focus on data privacy compliance.
- Supervisory authorities want companies to inform about the tracking technologies that are actually used by the business in a precise manner. They do not want businesses to describe activities that are possible but not actually used.
- Consider obtaining consent for the use of tracking cookies. The German data protection authorities, for instance, take the view that consent is required whenever tracking cookies are used, even though this is not settled among German legal scholars. Furthermore, other EU member states also seem to follow this view and require consent. The draft e-Privacy Regulation, which is still under revision but will be directly applicable sometime in the future throughout the EU, also requires consent. There are thus good reasons to not only inform about tracking cookies but also to obtain consent. Mere informative banners do not suffice in the opinion of supervisory authorities.
- Even if it is crucial for companies to provide for an easy and convenient registration process, this need not be at the expense of providing information and security. The BDPA emphasized that, in particular, it expects big players to comply with statutory requirements. To the BDPA, usability does not trump privacy compliance.
- Businesses should consider providing support when customers select their passwords and log-in methods (e.g., requiring compulsory complexity and length – the BDPA recommends a minimum length of 12 characters, while less than 8 are considered too weak; providing adequate indicators to assess the security level of the selected password; offering multi-factor authentication options that can be easily found; providing further convenient support rather than mere references to (password) guidelines that are hardly ever read) – the BDPA seems to expect that.
- In order to prevent identity theft and other cybercrimes, in connection with any registration for services and changes of passwords, consider sending an e-mail to the e-mail address used. When changing the password, consider requesting the old password as well.
- The BDPA also recommends that leading/larger companies provide information on phishing (by explaining common techniques and explaining how to ensure that the actual service provider is requesting information) to raise the awareness for such attacks, as cybercriminals often pretend to be such companies in order to obtain log-in data and other information.
- Supervisory authorities want companies to show failed log-in attempts in order to warn customers of potential threats to their digital identity.
- Consider providing easy-to-find support options for security issues; it shows that privacy is taken seriously.
According to the BDPA, the results of the privacy assessment were much worse than the outcome of the cybersecurity check. But even though the outcome of this quick check was disappointing according to the BDPA, the BDPA failed to take this as a chance to provide details with regard to the question of which information is required for providing sufficient transparency. Businesses are thus left alone to decide how to best inform their customers in an easy, and at the same time transparent, manner. However, it is unlikely that the BDPA would accept this as an excuse not to improve transparency. The BDPA emphasized that it had focused on tracking due to an increasing number of customer complaints. This indicates that customers are becoming more and more aware of their privacy so that it is in the interest of the business to keep up with this development. In this respect, it is also important to know that complaints are oftentimes the starting point for further privacy investigations. Companies should thus try to stay in line with current guidance from data protection supervisory authorities and watch out for any new developments.