The data protection supervisory authorities of several German States have investigated the use of cookies and the inclusion of third-party services on websites of media companies. In total, 49 websites in 11 states were audited on the basis of a joint audit catalogue. The focus was put on user tracking for promotional purposes. Most of the websites audited did not comply with the legal requirements for the use of cookies and other tracking methods. Media companies thus violated their users’ right to the protection of their IT systems and their personal data. Initial adjustments made by some controllers have not yet been able to fully address the legal shortcomings. Users face significant risks as a result of media companies’ practices. In particular, the personal data collected through user tracking is used to create and enrich comprehensive and cross-page personality profiles. These are used for online marketing, in particular in the real time bidding process (real time bidding on advertisement spots).
The state data protection authorities involved act on companies within their jurisdiction in order to establish data protection compliant conditions. If necessary, they will take supervisory action.
For this joint investigation, the authorities from Baden-Württemberg, Brandenburg, Bremen, Hamburg, Hessen, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland, Saxony and Schleswig-Holstein sent out a joint questionnaire to media companies in their respective competent jurisdictions beginning mid-August of 2020. Not all of a companies’ websites were investigated, only their widest-reaching ones. Before these questionnaires were sent out, the selected web pages were technically secured and analysed. This made it possible to match the replies of the media companies with the actual technical design of the pages. In addition to the authorities mentioned above, the supervisory authority in Bavaria also participated in the substantive content analysis of the results of the investigation.
The audited media websites use a very high number of cookies and third-party services, mainly for user tracking and advertising funding. Even though the websites ask for differentiated user consent for the use of cookies and third-party services, the majority of the given consents were invalid. The main shortcomings identified during the audit were the following:
- Wrong order: Often third-party services requiring consent are already in place when websites are opened and cookies set — before consent is actually obtained.
- A lack of information: The first level of consent banners provides insufficient or incorrect user tracking information.
- Insufficient level of consent: Even if the user refuses to give consent on the first level of consent banner, many cookies and third-party services, which require consent, still remain active.
- No simple refusal: While all consent banners on the first level present a button to give consent to all cookies and third-party services, this level often lacks a corresponding button to reject user tracking in full or to close the banner without making a decision.
- User manipulation: The design of consent banners contains many forms of nudging. This means that users are enticed to give consent by making the consent button significantly more noticeable than the refusal button, i.e. by colour highlighting or by unnecessarily complicating the refusal of consent.
The original press release is available on the websites of the above-mentioned SAs.
For further information, please contact the SAs involved. For an overview of the German SAs, please click here.
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.