Top 10 GDPR Violaters Exposed
A month after the law became enforcable hundreds of high profile websites still have not made any efforts to impliment the new law. I contacted 14 of the top companies to find out what they are doing about it, and this is what they said.
What is GDPR
GDPR stands for General Data Protection Regulation and it is the new single data protection act which will make major changes to all of Europe’s privacy laws and will replace the outdated Data Protection Directive from 1995. GDPR compliance isn't just for European companies. GDPR applies to businesses of all sizes, regardless of whether you have 1 or 10,000 employees, and regardless of where you or your company is based. If you offer products and services to customers located in Europe, then GDPR will apply to you.
GDPR gives people more control over their personal data and forces companies to make sure the way they collect, process and store data is safe. The EU hopes to achieve a fundamental change in the way companies think about data - its central idea is "privacy by default."
Key Points of GDPR
Here are a few key points about GDPR which I have looked for to identify compliance. It is by no means an exhaustive list.
Personal data is any information relating to an identified or identifiable natural person. This includes IP address, email addresses and telephone numbers.
1. Informed, Explicit Concent
A website must ask for a visitors express consent BEFORE storing any information about the user. Implied Consent is no longer enough. Banners stating messages such as "By using this site, you accept cookies" DO NOT COMPLY with the new regulations. This is because implied consent is not considered valid under Article 4(11) .
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;REGULATION (EU) 2016/679, Article 4(11)
2. Consent must be freely given
A website must give users the option to OPT-IN to cookies, tracking cookies, personalised advertisements and storage and processing of information. You cannot present a form or options with pre-ticked boxes which users then have to uncheck or toggle off.
pre-ticked boxes or inactivity should not constitute consent.REGULATION (EU) 2016/679, Recital 32
3. Services must not be withheld for non-consent
Websites should not deny or block access to services or content if the user does not agree with non-essential data collection. That means, for example, you cannot stop a user from viewing an otherwise freely accessible website if they do not agree to ad personalisation or analytics tracking.
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.REGULATION (EU) 2016/679, Recital 42
4. Make it easy for people to withdraw consent
Once a user has agreed and consented to data collection and processing, they must have the option to, at any time, withdrawal consent and the process of withdrawing consent must be as easy as it is to grant consent. This means that if a button is used to opt-in, then a button must be used to opt-out.
The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.REGULATION (EU) 2016/679, Article 7(3)
What if companies fail to comply?
European regulators can fine companies up to 4% of annual global sales, which for the big tech firms could run into billions of dollars. Penalties for smaller firms would be capped at €20 million ($23.5 million).
Failure to comply with GDPR can be very costly to businesses so it is important to be fully compliant.
Websites Found not Complying with GDPR regulations
Facebook & Google
Facebook and Google have become the targets of the first official complaints of GDPR noncompliance, filed on the day the privacy law takes effect across the EU. Both companies (and their subsidiaries such as Instagram and WhatsApp) force users into agreeing to new terms of service, which is in breach of the requirement in the law that such consent should be freely given. This is in direct violation of Recital 42.
Max Schrems, the chair of Noyb, said: "Facebook has even blocked accounts of users who have not given consent. In the end, users only had the choice to delete the account or hit the agree button – that’s not a free choice".
Facebook said in a statement that it had spent 18 months preparing to make sure it met the requirements of GDPR.
Google told the BBC: "We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation."
So it seems clear that both Facebook and Google believe that their policy is correct and not in violation of GDPR, meanwhile Noyb is filling four complaints in the European courts over forced consent. Watch this space to see the outcome.
The BBC is a state-funded media company in the United Kingdom. You would have thought that because of this they would at least make an effort to comply with the new law. In fact, they do not at all comply at all. On entering a BBC website, you are simply greeted with a message stating that they have updated their policy. Not even that they set cookies and if you are unhappy don't use the site. The user is unaware that any cookies have been set or used (7 cookies were set on initial page load), neither do they give any options to opt-out or withdrawal consent. Shame on you.
I contacted the BBC and their response was simply:
The BBC has already made some changes to our websites, and we will continue to make improvements over time.
The Daily Mirror
The Daily Mirror, and other websites of the same media group use an opt-out system which is not allowed. By this I mean they automatically set all the options to opt-in and if you do not consent you have to go into the options and manually untick all the boxes. Additionally, the website is not mobile friendly, meaning that anyone browsing the site on a smartphone cannot see the options to opt-out, only accept all.
I contacted Reach PLC, the parent company of the Daily Mirror and the other websites, and have not had any reply from them.
I contacted the online help department for the Guardian website and shortly after publishing this article they had fixed their GDPR implimentation.
On landing, on the homepage, my browser (Firefox) stored a staggering 122 cookies, not one of which was essential or required for the operation of the site. They were all advertising, tracking and marketing.
I contacted the Telegraph Media Group and have not had any reply from them.
ASDA, part of the Walmart Group, is one of the largest grocery stores in the UK. Their online shopping website is not compliant with GDPR as it only offers implied concent options - and the message is hidden away at the bottom of the site. By landing on the homepage they set 20 tracking and analytics cookies.
They do have a Privacy Center and list details of the Data Protection Officer. The page itself does not list anything meaningful and does not amount to a policy. It merely states:
We collect a wide variety of information about people and we use it in lots of different ways
I contacted the Data Protection Officer, and have yet to receive a response.
37 cookies were stored in the browser just by visiting the homepage. There was a mixture of session cookies, advertising, media, some "insights advisor" which is some kind of persistent tracking.
To deliver relevant online advertising to you both on our websites and elsewhere. This is sometimes done by combining data that we already have about you with the data collected through Cookies.
To me, this reads that they use ad-personalisation and persistent tracking technologies without user consent.
I contacted Sainsbury's privacy team and this is what they had to say.
At the moment we have put in place an updated cookie banner so we are more explicit with our customers about the sorts of cookies that we use. Within our cookies policy we direct customers to http://www.allaboutcookies.org/ where individuals can find instructions about how to manage cookies through their browser settings.
We are aware of the requirements of the GDPR and we are also aware that some businesses have changed the way that they obtain cookie ‘consent’. We are currently reviewing the various mechanisms that are available. We are also monitoring the draft e-Privacy Regulation and are speaking to the ICO.
Compare the Market
Another top consumer site which deals with a lot of personal data is Compare the Market price comparison site. I would have expected such a high profile site dealing with large quantities of personal information to at least make an effort in being compliant.
They also state that information is gathered from the information you provide on the site and also information held by their partners.
We will also obtain certain personal data about you from the insurance partners on our panel
The policy also states that they use various tracking technologies and store personal information including IP address (without consent)
This is deeply concerning, since any time they send an email or visit the website without notification or consent they are collecting and storing personally identifiable data about you.
I contacted the support team (the only address I could find for website issues) and have not had a reply as of the time of writing.
Information Commissioner's Office
Finally, https://ico.org.uk/, the UK governing body responsible for enforcing GDPR itself does not comply with the new laws and doesn't even comply with its own advice!
They continue to use the implied consent model and store 11 browser cookies without consent. Some of these they list as essential cookies, whilst others are analytics. 6 cookies are unidentifiable and are not listed on the page detailing all the cookies they use on the site.
As the body responsible for enforcing GDPR compliance and handing out fines for non-compliance, I found it shocking that their site does not comply. I feel that they should be setting an example for others to follow.
I think it is fair to say that recent and upcoming changes in the law have caused some confusion in this area. The e-Privacy Regulation, which was supposed to come into force at the same time as the GDPR, won’t now be in place until next year at the earliest. This disconnect has not been helpful. And Article 95 of the GDPR (which deals specifically with the relationship between the GDPR and Directive 2002/58/EC (which currently governs cookie consent) states that the GDPR shall not impose additional obligations on businesses in relation to the Directive. This conflicts with the change to the definition of consent that the GDPR would seem to make to Directive 2002/58/EC.
Who did GDPR well?
These are a selection of website that has implemented GDPR the best. Although some of them are not in total compliance, they serve as examples of some of the best implementations out there.
Make Use Of
Technology and gadget blog Make Use Of, has a nice widget which prompts users to opt-in to various tracking or analytics. There are 5 toggles which control what types of cookies are used and the default is to opt out of all.
Future Publishing also features a nice widget in which users can opt-in to selected cookies or reject all.
Western Digital continues the trend of popup widgets to allow users to opt-in, however, for some unknown reason their implementation is very, very slow. In fact, it was taking upwards of two minutes to opt-out of all the cookies from various partners.
Yahoo, part of the Oath group presents all new users with a huge, full-page, message stating several messages and the options available to you.
Yahoo is now part of the Oath family. Due to EU data protection laws, we (Oath), our vendors and our partners need your consent to set cookies on your device to use your search, location and browsing data to understand your interests and personalise and measure ads on our products.
They then give you the option of opting into various partners cookies and analytics with the defaults being not allowed. It's a bit of a maze navigating the various options but it is compliant.
What are your experiences of GDPR compliance on websites? Have you found any examples of blatantly ignoring of the rules, or website which has a very sleek implementation of cookie and privacy control? Let us know in the comments below.
Last updated on: Tuesday 30th October 2018