Skip to main content

Tracking trouble: AS Watson's €600,000 fine and Google’s Privacy Sandbox under scrutiny

|

Recently, two notable cases have emerged demonstrating that the consent requirement for cookies is not always adhered to. The Dutch Data Protection Authority (AP) fined AS Watson B.V., the parent company of the Dutch drugstore chain Kruidvat, €600,000 for placing tracking cookies on Kruidvat.nl without the required consent. At the same time, concerns are being raised about Google’s Privacy Sandbox, which critics claim is also not fully compliant with the consent requirement.

 

In this article, we will discuss these two recent cases. Additionally, we will delve into future regulations regarding cookies and the subsequent consent requirements. We will conclude with some practical tips.

Cookie Legislation

From Directive to Regulation

Currently, cookies are governed by the GDPR and the e-Privacy Directive. In the Netherlands, the e-Privacy Directive has been implemented via the Telecommunications Act. However, the 2002 e-Privacy Directive is due for replacement. The long-awaited successor is the e-Privacy Regulation. The exact implementation date for this regulation is still uncertain; member states are currently still negotiating some articles.
The arrival of the e-Privacy Regulation will replace the relevant provisions in the Dutch Telecommunications Act. Unlike a directive, a regulation is directly applicable in all EU member states, without the need for transposition into national law.

The New Cookie Rules

The e-Privacy Regulation aims to make the use of cookies simpler and more user-friendly. Cookies that have a limited impact on privacy can still be placed without consent. However, consent will still be required for tracking cookies. The current strict rules result in an abundance of different cookie notices that users have to deal with. To make this more user-friendly, the new rules encourage browser developers and mobile operators to add a ‘tracking consent option’. This allows users to set their privacy preferences once in their browser instead of on each individual website. Much more convenient!
Many browsers have already adapted to this. For example, Safari and Firefox block third-party tracking cookies by default. These cookies are placed by companies not directly involved with the website you are visiting, usually for targeted advertising purposes. Google had also announced it would ban third-party tracking cookies in Chrome by default but recently revised this plan. More on this can be read below.

 

Consent Requirement

Websites must inform their visitors about the use of cookies. Additionally, consent must be obtained for the use of cookies. Exceptions to this requirement are cookies that are strictly necessary for the functioning of the website or analytical cookies with limited privacy impact. Analytical cookies, for instance, help in collecting visitor statistics to improve website performance.

Tracking cookies follow and analyze users’ browsing behavior over an extended period, thus impacting privacy. Consent is required for tracking cookies and analytical cookies with privacy implications. Consent for this cookies must be given freely, specifically, informed, and unambiguously. This is a strict requirement. For example, using pre-checked boxes or silence does not count as valid consent, a mistake many companies make.

This was also the case with Kruidvat.nl.

 

The Violation by Kruidvat.nl

The AP discovered that Kruidvat.nl was placing tracking cookies without valid consent from visitors. Additionally, the boxes for tracking cookies were pre-checked in the cookie banner, which is also in conflict with the consent requirement from the GDPR.

The AP’s investigation report shows:

  1. When visiting Kruidvat.nl, cookies were placed on the user's device before they had given consent.
  2. The cookie banner had the “agree” box pre-selected by default, making users automatically (by default) consent to the placement of advertising (tracking) cookies. The cookie banner was also complex and required users to go through several steps before cookies could be refused, making their choice not genuinely ‘free’.

These findings led the AP to conclude that AS Watson was guilty of unlawful data processing with its website Kruidvat.nl. As a result, a fine of €600,000 was imposed.

 

Google’s Privacy Sandbox: Improvement or Privacy Washing?

Google also fases criticism regarding compliance with the consent requirement. The company introduced the Privacy Sandbox as a privacy-friendly alternative to third-party cookies in its Chrome browser, aiming to eliminate these cookies entirely. Users could activate this new feature with the “Turn on ad privacy features” button. However, critics argue that this so-called ‘ad privacy feature’ is not as privacy-friendly as claimed. Instead of eliminating third-party tracking cookies, it shifts tracking to first-party tracking within Chrome itself, managed by Google. By labeling this as a ‘privacy feature,’ users may be misled, resulting in no free, specific, informed, and unambiguous consent.

Max Schrems, a prominent privacy lawyer and activist, expressed his concerns:
“People are increasingly critical of the fact that big tech companies are making billions from invasive ad tracking technologies. Instead of actually improving the situation, Google is responding with a kind of unlawful ‘privacy washing’ by introducing a new tracking system.”
Recently, Google decided not to completely ban third-party cookies after all. Instead, the company will request explicit consent from Chrome users for the use of these cookies. Meanwhile, Google continues to work on alternatives for third-party cookies with its Privacy Sandbox, hopefully this time genuinely privacy-proof.

 

Practical Advice

In practice, many companies still struggle with the correct application of legal cookie rules. The use of pre-checked consent boxes and unclear cookie banners is common, despite being illegal. Such practices lead to unlawful data processing and can result in significant fines and reputational damage. It is important for companies to regularly review their cookie policies and ensure compliance with current regulations to avoid such mistakes.

Here are some key lessons:

  1. Clear Information: Ensure your cookie banner provides clear information about the purpose of the cookies and what data is collected.
  2. Active Consent: Do not use pre-checked boxes. Users must actively give consent.
  3. Easy Opt-Out: Make it easy for users to refuse cookies.

 

Conclusion

The fine imposed on AS Watson for unlawful use of tracking cookies highlights the importance of compliance with legal rules. Companies must be transparent about their cookie use and ensure that consent is obtained correctly. This not only prevents legal consequences but also helps maintain customer trust.
AS Watson has now made the necessary adjustments, ensuring that only strictly necessary cookies are pre-checked by default in the cookie banner on its Kruidvat.nl website. Hopefully, Google will also take the criticism seriously and provide a true ‘privacy feature’ with its Privacy Sandbox.

Craving a cookie after reading this article? Don’t worry, you don’t need consent for that!

The AP’s fine decision regarding AS Watson can be read here (in Dutch):

www.autoriteitpersoonsgegevens.nl/documenten/besluit-boete-as-watson-kruidvat.

 

Article provided by INPLP members: Bob Cordemeyer, Hanneke Slager and Emmely Schaaphok (Cordemeyer & Slager Advocaten B.V., Netherlands)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}