The Bavarian Data Protection Authority (“BDPA”) took the “safer internet day” in February 2019 as an opportunity to conduct privacy checks on website operators. The focus was on “cybersecurity” (in particular, password security) and “tracking” and the outcome is rather disillusioning, according to the BDPA. The BDPA stated that necessary security measures were not implemented and none of the cookie banners obtained valid consent. The BDPA announced it would conduct further checks via written procedures or even by on-site inspections to validate the quick check results and assess whether further actions must be taken. In those cases where the BDPA is not competent, the BDPA will consider reaching out to competent lead supervisory authorities where necessary so that they can provide their insights.
Here are the main results of the BDPA’s checks and practical advice on what companies should consider when setting up their websites.
Results of the Assessment Concerning Password Security
The targets of the BDPA were 20 website operators known for their wide reach, according to the BDPA. The website operators’ lines of business ranged from social network providers and video streaming portals to online shops.
The BDPA stated that the 20 website operators showed the following vulnerabilities:
Results of the Assessment Concerning Tracking
Forty large Bavarian companies had been reviewed for the purpose of identifying whether they transparently provided the required information and obtained valid consent for the use of third-party tracking technology, in particular cookies.
In the view of the BDPA, the results were disappointing:
According to the BDPA, none of the websites prevented the tracking of visitors, and none fulfilled the requirements for a valid consent.
Lessons to be learned:
Unfortunately, the BDPA did not specify further why transparency requirements had not been met, what degree of granularity is required to inform the customers adequately, or what is required to obtain voluntary consent. Nevertheless, the BDPA’s approach gives some insights on what supervisory authorities focus on and what companies can consider doing to reduce enforcement risks:
According to the BDPA, the results of the privacy assessment were much worse than the outcome of the cybersecurity check. But even though the outcome of this quick check was disappointing according to the BDPA, the BDPA failed to take this as a chance to provide details with regard to the question of which information is required for providing sufficient transparency. Businesses are thus left alone to decide how to best inform their customers in an easy, and at the same time transparent, manner. However, it is unlikely that the BDPA would accept this as an excuse not to improve transparency. The BDPA emphasized that it had focused on tracking due to an increasing number of customer complaints. This indicates that customers are becoming more and more aware of their privacy so that it is in the interest of the business to keep up with this development. In this respect, it is also important to know that complaints are oftentimes the starting point for further privacy investigations. Companies should thus try to stay in line with current guidance from data protection supervisory authorities and watch out for any new developments.