Maciej Zawadziński: Privacy organization ‘noyb’ recently approached over 500 companies with complaints about violations of the GDPR compliance of their websites’ cookie banners. When they followed up on the problem, some companies fixed violations. Still 82% of all websites had remaining issues. It seems noyb’s complaints have motivated companies to act. But why are they still not compliant?
Marc Southwell: The problem here is the understanding of legislation and how to implement it nationwide and internationally.
It’s easy for privacy activists like noyb (‘none of your business’) to point fingers at companies’ cookie banners and how they try to comply with the GDPR.
And it’s easy for them to put companies’ lack of compliance on public display.
But who’s to blame? We all know about the GDPR and that we have to collect consent for using cookies. But the whole cookie issue is caught between the ePrivacy Directive, the GDPR, and national guidelines for using cookies. And as many companies operate across borders, it becomes increasingly difficult to know which rules actually apply.
I see a tendency that companies become caught between a rock and a hard place. It’s an unpleasant situation in which they don’t know how to act and what path to follow.
Maciej Zawadziński: So in your opinion, businesses want to be GDPR compliant. How did you reach this conclusion?
Marc Southwell: We don’t believe that the mentioned 82% of 500 companies in Europe are seeking to break the law. We believe the opposite. We have done a study with the Federation of Norwegian Enterprise (Virke) that concludes that most companies want to comply and respect their website visitors, but it’s too difficult to understand the GDPR.
In the fall of 2020, together with Virke, we asked 379 companies in Norway about their views on cookie consent solutions. The companies represented small, medium-sized businesses and enterprises. Less than 20% of the companies said that they had enough knowledge about legislation and guidelines for cookies to act properly. At the same time, 90% answered that it’s important that their company complies with current legislation so they can ensure the rights of their website visitors.
I believe this is a common picture all over Europe. Companies do not want to run the risk of heavy fines or bad publicity for not complying with the GDPR.
And it’s the companies that have the main responsibility for compliance. But as lawyer Maximillian Schrems, co-founder of noyb, argues: if it’s so hard to understand the privacy policies of tech giants, imagine how difficult it may be for the average company to understand the legal phrasing in GDPR. Let alone formulate their own.
If you ask legal experts across Europe, there are different interpretations of how consent is collected when it comes to digital devices, the term we use for websites and mobile applications.
– Marc Southwell
Maciej Zawadziński: You continue to say the GDPR is hard to understand. Why haven’t companies gotten around to understanding the GDPR although it was introduced three years ago?
Marc Southwell: The GDPR doesn’t talk much about cookies. Cookies are the concern of the ePrivacy Directive (“the European cookie law”). However, the GDPR talks a lot about consent.
Rules on cookies and how to collect consent for them are caught between two legislations. This allows for national guidelines which are interpretations. Interpretations of the ePrivacy Directive, which is something all European member states have had to put into national law, and the GDPR which is mostly enforced at national levels.
What we see by reading the national guidelines and by talking to our clients is that these interpretations vary a lot. If a company operates on the whole continent or internationally, which guideline should it follow?
Much of the GDPR framework is centered around consent that should be “freely given, unambiguous, specific, informed”. But what does that really mean?
If you ask legal experts across Europe, there are different interpretations of how consent is collected when it comes to digital devices, the term we use for websites and mobile applications. Some experts talk about legitimate interest, others about passive consent, and some even say that just using a website or mobile app is considered as consent. If we still discuss what consent on a website or app is, then how far have we come? We have a set of rules, but how to follow them is perceived differently from country to country.
Maciej Zawadziński: Even if a company understands the guidelines, it has a hard time following them. What parts of the GDPR are the most challenging to follow and why?
Marc Southwell: Of course I cannot comment on the entirety of the GDPR. I can only comment on my field of knowledge which is collecting consent for using cookies and other tracking technologies on websites and apps.
The GDPR was enacted on May 28, 2018. It took the Danish Data Protection Authority almost two years and the Finnish Data Protection Authority three years to formulate clear guidelines for collecting valid consent to cookies. And we are still waiting for the Swedes.
According to The Digital Economy and Society Index (DESI) for 2020, these three countries are the most digital countries in the world. If it has taken them over three years to put forward guidelines, then no wonder it has taken so long for many companies to understand and implement solutions to keep them GDPR compliant.
I am in contact with hundreds of companies that want to follow the guidelines. And based on the interest in our materials, e.g. e-books and blog posts, we know that thousands more are interested. I can only join the bandwagon and request the data protections authorities (DPAs) across Europe help businesses comply. Guide and teach them. Those companies want to respect their customers, but they need to know how to do so.
It took the Danish Data Protection Authority almost two years and the Finnish Data Protection Authority three years to formulate clear guidelines for collecting valid consent to cookies. And we are still waiting for the Swedes.
– Marc Southwell
Maciej Zawadziński: Data protection offices in the EU are in charge of providing the local cookie guidelines and general education on the GDPR. How would you describe the current state of their efforts in those areas?
Marc Southwell: The GDPR was a big change, and is still a big thing. We have a long way to go before all companies can follow the rules of the regulation.
Bigger businesses with many resources have allocated entire departments and appointed data protection officers (DPOs) for redesigning their internal processes to comply with the GDPR.
On the other hand, small and medium businesses may not have these resources and have to hire external consultants. That’s costly and time consuming. But I also see that many businesses are working on it. Especially regarding cookies.
If we start seeing non-governmental organizations calling the authorities every time they spot a non-GDPR compliant cookie banner, something is wrong. Authorities should reach out to companies – guide instead of judge – help instead of penalize.
When I help businesses, who are being audited by the data protection authorities, I often learn it’s being audited because of an official complaint from a user of a website. This forces the authority to act and audit the website. When the business comes to us for advice, they have no idea what to do or where to start. And we see more and more of these cases. Just this year, we have helped more than 10 companies through official audits by the data protection authorities.
Maciej Zawadziński: In your opinion, what should change in DPA’s communication about compliance to make it more approachable and understandable?
Marc Southwell: I think the European data protection authorities should unite to give clear direction for cookies and consent. As I said earlier, there are a lot of different national interpretations of the ePrivacy Directive and the GDPR. It becomes difficult for international businesses to know what rules to follow.
There should be a unified and clear European guideline that all data protection authorities agree upon until the new ePrivacy Regulation takes effect. When that arrives, there will no longer be room for interpretations and the rules will be set in stone.
There are too many gaps,unanswered questions, interpretations and inconsistencies for companies to be able to do what they do: to do business.
And we want to see more positive stories from companies who got it right. Let’s learn from those so others can follow. What did they do, how did they solve the problems, etc.
With that level of clarity and transparency, all businesses in Europe would be able to follow the guidelines without spending unnecessary resources on it.
Maciej Zawadziński: Can you point out a data protection authority that does a good job in educating businesses about how to be compliant?
Marc Southwell: We are seeing very good initiatives by the Danish Data Protection Authority (Datatilsynet). They have succeeded in producing clear and often humorous content about data protection, privacy and consent. And best of all, everything is written for all to understand.
For example, every week they do something called “The Monday Myth” in which they comment on a common misunderstanding about the GDPR. A myth could be: “the GDPR says you’re not allowed to take photos at your kids’ birthday party”. And then they debunk such myths.
They have built a large audience on social media,especially on LinkedIn, by squeezing the legal mumbo jumbo out of legal documents and making them easy for all to understand.
Maciej Zawadziński: The ePrivacy Regulation is on its way. Will it create the same confusion among businesses? Or is it written in a more approachable manner so it will be easier to follow?
Marc Southwell: The new ePrivacy Regulation was supposed to take effect the same day as the GDPR (May 28, 2018), but it has been delayed. Hopefully, we have learned a lot from how the GDPR was received and perceived.
The ePrivacy Regulation will be written in the same legal language as the GDPR. The task of the European Data Protection Board and all the data protection authorities out there will be to convey the new rules in layman terms. That is, in plain English.
However, when the ePrivacy Regulation comes, this will be the final set of rules for using cookies and online trackers. No more confusion about whether cookies fall under the GDPR or ePrivacy Directive, or some national guideline. The ePrivacy Regulation will establish the standard for all European member states.
But as long as we wait, we are stuck with a complex and rigid system of different interpretations on cookie rules. And that’s the reason why many companies don’t comply yet.
It is imperative that we communicate in a good way to companies: these are the rules – this is how you can follow them – here’s how we can help you reach your compliance goals.
Marc Southwell, Senior Compliance Advisor at Cookie Information
Marc has extensive professional experience working with web agencies in different capacities. During that work, he found his niche in internet privacy. At Cookie Information, he provides small and global companies with expertise on compliance with privacy regulations, especially in relation to cookies and asking for legal consent.