Results of the Assessment Concerning Password Security
The targets of the BDPA were 20 website operators known for their wide reach, according to the BDPA. The website operators’ lines of business ranged from social network providers and video streaming portals to online shops.
The BDPA stated that the 20 website operators showed the following vulnerabilities:
Results of the Assessment Concerning Tracking
Forty large Bavarian companies had been reviewed for the purpose of identifying whether they transparently provided the required information and obtained valid consent for the use of third-party tracking technology, in particular cookies.
In the view of the BDPA, the results were disappointing:
According to the BDPA, none of the websites prevented the tracking of visitors, and none fulfilled the requirements for a valid consent.
Lessons to be learned:
Unfortunately, the BDPA did not specify further why transparency requirements had not been met, what degree of granularity is required to inform the customers adequately, or what is required to obtain voluntary consent. Nevertheless, the BDPA’s approach gives some insights on what supervisory authorities focus on and what companies can consider doing to reduce enforcement risks:
According to the BDPA, the results of the privacy assessment were much worse than the outcome of the cybersecurity check. But even though the outcome of this quick check was disappointing according to the BDPA, the BDPA failed to take this as a chance to provide details with regard to the question of which information is required for providing sufficient transparency. Businesses are thus left alone to decide how to best inform their customers in an easy, and at the same time transparent, manner. However, it is unlikely that the BDPA would accept this as an excuse not to improve transparency. The BDPA emphasized that it had focused on tracking due to an increasing number of customer complaints. This indicates that customers are becoming more and more aware of their privacy so that it is in the interest of the business to keep up with this development. In this respect, it is also important to know that complaints are oftentimes the starting point for further privacy investigations. Companies should thus try to stay in line with current guidance from data protection supervisory authorities and watch out for any new developments.