Around 50 companies in Berlin have been warned by the local data protection authority to finally comply with the GDPR. The basis has always been an illegal tracking of visitors. In doing so, the data protection authority shows that it also recognizes the problems on a technical level and issues a warning accordingly. A faulty cookie banner as a fig leaf is therefore increasingly useless.
Mistakes cost money
GDPR is enforced
It’s not always just warnings – recently an online store in Lower Saxony was fined €65,000 under the GDPR. The reason for this was a lack of updates and thus a successful hacking attack on customer data.
But even third-party cookies remain a problem,just as external tracking scripts regularly lead to a deteriorated PageSpeed.
Our recommendation: Avoid external tracking scripts where possible – and where not, only use them if they are actively used. But with third-party tracking, it is eminently important to comply with the GDPR requirements. And the GDPR clearly states: consensus is mandatory.
Please note: Effective consent must also be logged per user in compliance with the GDPR. So if you can’t or don’t want to do without third-party tracking scripts, then use a secure GDPR solution, such as Usercentrics together with our Tracking Manager. As a Usercentrics Partner, we advise you comprehensively if necessary and implement the necessary measures for you.
Half-baked solutions are a sword of Damocles
Avoid grey areas
Various industries were affected by the warning, in particular online trading, real estate, finance, social networks, legal services, software, health, education and comparison portals. Data protection authorities are increasingly receiving not only personal complaints from affected users, but also general information with requests and concerns from citizens.
The companies affected must now act immediately : The Berlin data protection authority is already announcing prompt inspections – if the GDPR problems have not been resolved by then, official proceedings will be opened – experience shows that a fine can then no longer be avoided.
Even elaborate cookie banners with differentiated setting options are not enough, according to the Berlin data protection authority – the underlying processes and loaded tracking scripts were analyzed by the authority, as was the design of the cookie banner itself.
Often, the reject button is still hidden in the settings or graphically displayed in a lower priority than the accept button – this is seen as deliberately influencing the user’s freedom of choice and clearly violates the GDPR. Even if many websites still use cookie banners in this way: a warning by a data protection authority is only a matter of time.
Up to 4% of the global annual turnover can be ordered as a penalty – DSGVO violations are no longer a trivial offense.
Example
Tom Tailor
Example of an online shop with a faulty cookie banner. Tom Tailor hides the option to reject third-party tracking behind the settings link – the user is tricked into clicking “Accept all” – to be considered a clear GDPR violation according to many GDPR experts.
Example
Zalando
The Google Tag Manager is already loaded, even before you have agreed to the cookies via “Go clear”.
Zalando’s cookie list is very large overall: we count 70 cookies from 12 different companies – this is mostly the result of marketing departments and decision-makers constantly formulating new analysis requirements and not taking the GDPR into account.
Back in April, data protection officer René van Loock showed in a post how DSGVO compliance of large websites stands, including Zalando. In any case, no company can rely on ignorance after more than 3 years since the GDPR came into force.
That a correct cookie banner is technically not particularly difficult to set up, proves our Tracking Manager WordPress plugin with Usercentrics support. So there is no lack of technical possibilities, but only of will.
The naivety or chutzpah with which the GDPR is sometimes ignored is frightening. Every little supposed straw is being sought to play third-party tracking out around the GDPR – the warning letters from data protection authorities are right and important.
We are not talking about witchcraft here – the GDPR is often described as a complicated set of paragraphs – even by many data protection experts. But it usually only gets complicated when you try to bend the rules. Uniform technical solutions via browser signals are being worked on, as is Google trying its much-criticized cohort concept.
Until then, and probably permanently, the clear recommendation is: avoid third-party services and ideally follow the no-consent-required approach – then there is no need for cookie banners at all.