Sweeping GDPR Fines from German Regulator Send Clear Message; ‘ePrivacy is a 2019 Priority.
A new ePrivacy Regulation that tightens rules for online ‘tracking tools’ such as cookies is expected to replace the ePrivacy Directive in late 2019.
Its importance was emphasised last week when the German DPA (Data Protection Authority) announced that they intend to fine forty organisations for using ‘tracking tools’ on their websites, violating the GDPR.
With ePrivacy Regulation set to tighten GDPR rules on ‘tracking tools’, the announcement of sweeping fines for non-compliant cookie practices under GDPR sends a clear message to organisations in 2019: ‘ePrivacy is a priority’.
How will ePrivacy Regulation seek to protect personal privacy?
The ePrivacy Regulation will outline how organisations must uphold Article 7 of the Charter of Fundamental Rights of the EU which guarantees individuals the right to a private life and private communications.
Where the GDPR has a focus on protecting personal data, ePrivacy Regulation will have a specific focus on protecting personal privacy, seeking to empower individuals to opt-out of unwanted data tracking, processing and digital communications.
The ePrivacy Regulation will be ‘lex specialis’ to the GDPR, detailing specific applications of the rules within the scope of the GDPR. The ePrivacy Regulation will specify rules for the use of:
- Online tracking technologies
- Citizen profiling and behavioural advertising
- Metadata processing and brokerage, i.e. geolocation, IP address and device number
- IoT – Smart Device communications
- Spam marketing
Why is protecting personal privacy and the integrity of digital communication important?
The profiling and microtargeting of 87 million UK and US citizens by SCL/AIQ/Cambridge Analytica with disinformation from 2016 onwards has been cited in Parliamentary Enquiries across the world as direct evidence for the need for ePrivacy Regulation.
A vast unregulated network of data tracking technologies, profiling softwares and microtargeting practices has left citizens vulnerable to unsolicited digital influence. These practices leave citizens with little control over who is collecting, analysing and leveraging their personal information for commercial and political gain as they browse the internet.
ePrivacy Regulation will allow for GDPR size fines against firms who perform data tracking without consent which will lead to a collapse in data tracking practices. This will help re-establish establish boundaries between citizens and the private and political actors who wish to influence them. It will also allow citizens to better distinguish between legitimate and illegitimate actors in the online space, and provide a fundamental safeguard to ensure that Article 7 of the Charter of Fundamental Rights of the EU is upheld.
How are regulators signalling that ePrivacy is a priority?
The German DPA has taken a major step towards enforcement on ePrivacy by announcing fines for forty large organisations who were found to be tracking visitors on their websites without appropriate consent. The German DPA audited forty “large websites” from the following industries:
(a) Online retail;
(c) Banking & insurance;
(e) Automotive & electronics;
(f) Home and residential; and
The investigation showed that all forty websites had non-compliant cookie practices with “tracking tools” inappropriately integrated into their sites.
The three major violations found were:
1. No Active Cookie Consent – Cookies and tracking technologies were gathering data on users before obtaining consent. The German DPA said that most of the forty websites used cookie banners to inform users about cookie usage but none of these banners resulted in active consent being obtained from the user before the cookies gathered user data.
2. No Informed Cookie Consent. Thirty of the forty cookie policies were ‘insufficiently transparent’. The German DPA defines ‘sufficiently transparent’ as: a) individually identifying all cookies/trackers (and presumably the companies behind them); and (b) letting users know the specific purposes for which data collected by the identified cookies will be used.
3. Third Party Processing Without Consent. Most of the 40 websites automatically sent data to third-party cookie providers as soon as a user visited the website.
How will the ePrivacy Regulation affect your organisation?
Organisations will have to adapt their cookie practices to adhere to the new regulation, most likely moving to an explicit and informed opt-in consent mode for advertising cookies. There will also be specific requirements in assessing the legitimacy of third party data processing and brokerage of metadata. Organisations will be required to demonstrate a higher level of due diligence/data auditing for third party data processors and have accurate records of data processing in preparation for heightened scrutiny from regulators.