Participating in the Safer Internet Day (SID) program, the Bavarian State Office for Data Protection Supervision reviewed websites with a wide reach and examined the security of user accounts and the use of tracking tools. Although some of the most prominent Internet services were reviewed, the results are sobering from a data protection point of view.

The data protection audit initially focused on the security of user accounts of the relevant services, in particular examining how website operators handle their users' passwords. Various types of online services were examined, including streaming and video portals, email services, electronics shops, photo services, health and cosmetics websites, furniture stores, fashion stores, price comparison sites, and social networks. 22 items were examined with regard to registration and 17 in connection with login.

The Bavarian State Office for Data Protection Supervision found that none of these services took sufficient measures to require strong passwords from users. For example, very weak passwords such as "123456," "Password," or even "0000" were frequently possible. Only a few of the services offered additional security measures and assistance to protect accounts. The Bavarian State Office for Data Protection Supervision announced that it will follow up on the shortcomings at the companies by written procedure or on site.

The findings in connection with the use of tracking tools and cookie banners were even more interesting from a data protection perspective. Forty large Bavarian providers were examined with regard to whether users were transparently informed about the integration of third-party providers, in particular tracking tools, on the website. The check included online stores, media companies, insurance companies, banks, sports teams, and other website operators (a detailed list is available on slide 21 of the results paper). The State Office found that all providers use tracking tools, but only a quarter of the websites inform users transparently about the use of these tools. The remaining providers either did not inform users at all or only informed them insufficiently about the use of tracking tools as part of their Privacy Policies. Considerable potential for improvement has also been identified regarding the use of cookie banners. 20% of websites, for example, failed to ask users to consent to the use of cookies at all. Even in those cases where consent was obtained, however, this was not done with legal effect in a single case. Consents were either not given in advance, they were given uninformed, or there was a lack of voluntariness (deficiencies in the consents can be found on page 25 of the results paper).

In addition, the Bavarian State Office for Data Protection Supervision found that only one of the forty websites offered the option of preventing profiling on the basis of users' browser settings (results on profiling on page 26 of the results paper).

Thomas Kranig, President of the Bavarian State Office for Data Protection Supervision, commented on the sobering findings as follows:

"The result of this data protection check was significantly worse than that of the cyber security check: all of the examined websites committed data protection infringements in the use of tracking tools. Our audit will have impacts on the relevant companies. We have decided to remedy these deficiencies and to evaluate the initiation of fine proceedings. We expect large companies in particular to be in a position to comply with statutory requirements."

Recommendation for action:

We strongly recommend that websites be checked for data protection compliance, in particular with respect to the use of tracking tools and obtaining consent. Even though the Bavarian State Office for Data Protection Supervision is currently focusing on well-known website operators, all companies may be subject to a data protection audit.

Link to the results paper of the Bavarian State Office for Data Protection Supervision:

https://www.lda.bayern.de/media/sid_ergebnis_2019.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.