Kaamel Privacy Research Lab
If your company sells products or services to European customers, your website or application must comply with privacy compliances including the ePrivacy Directive (EPD - a.k.a, the Cookie Law) and General Data Protection Regulation (GDPR). Like most companies, you probably deployed a cookie banner to collect user consent. Does the presence of this alone guarantee compliance with cookie requirements in Europe?
The answer is NO.
Case in point, on December 29, 2023, the National Commission on Informatics and Liberty (CNIL) sanctioned Yahoo EMEA Limited with 10 million euro fine for depositing advertising cookies without an user’s consent on its “Yahoo.com” site, even though Yahoo.com already presents a cookie banner to collect consent.
The key takeaway? You can’t place non-essential cookies without user consent. Until a user actively engages and gives consent, or if they reject all non-essential cookies, your website shouldn't place any non-essential cookies.
If all this seems complicated, don't worry, you're not alone. We assessed 64 Fortune 500 companies that sell products or services directly to European customers and found that a staggering 70% were not compliant with GDPR.
70% of Fortune 500 Companies in Test Group Are Not Compliant
Kaamel Privacy Research Lab selected 64 Fortune 500 companies that directly engage with European customers to analyze how their websites handle cookies through cookie banners. Notably, these websites also tend to utilize advertising and tracking cookies to tailor services to individual users, as well as cookie management services designed to relieve developers of managing consent functionality. In addition to cookies, we selected businesses collecting personal details like names, addresses, and payment information via their websites to facilitate smooth transactions.
As a rule of thumb, to adhere to EPD and GDPR standards, websites should:
- Refrain from collecting any personal data or deploying non-essential cookies until the user has given their consent.
- Provide an easy way for users to review data collected through cookies and web beacons, and to choose whether to consent to such data collection.
- Avoid collecting any non-essential data or deploying non-essential cookies if the user declines cookie consent.
Looking at our group of Fortune 500 firms that gather personal data from European customers, we notice some concerning patterns emerged regarding cookie compliance:
- 14% (9 out of 64) lack a proper cookie consent banner, preventing users from making informed decisions about data collection.
- 70% (45 out of 64) deploy non-essential cookies before obtaining user consent.
- 44% (28 out of 64) deploy non-essential cookies even after users decline cookie consent.
The diagram below highlights the top 10 perpetrators of placing cookies before a user gives consent and after a user refuses all cookies. Remarkably, Company B's website sets 21 third-party non-essential tracking cookies before gaining user consent and continues to deposit three non-essential cookies even after a user has expressly rejected all non-essential cookies. This is a direct violation of GDPR regulations.
The leading tracking vendors for Fortune 500 company websites include Google, Adobe, Akamai, Twitter, and Youtube. Google tops the list, utilized by 21 companies prior to user consent. Notably, a user's rejection only eliminates Google tracking from 11 companies.
The absence of an appropriate cookie consent mechanism, along with the placement of non-essential cookies prior to obtaining user consent or following user rejection, constitutes violations of both the ePrivacy Directive (EPD) and the General Data Protection Regulation (GDPR). Considering that the average Fortune 500 company has revenues of $42 billion, non-compliance could be costly. Under GDPR, severe infringements can incur fines of up to €20 million or 4% of the previous fiscal year's global annual revenue, whichever is higher. Therefore, non-compliance could potentially cost a company hundreds of millions of dollars.
Conclusion and Outlook
Privacy leaders at top Fortune 500 companies understand the critical importance of gaining user consent for non-essential cookies to adhere to EPD and GDPR. Shockingly though, 70% of companies tested don't meet this requirement. The underlying cause is typically disconnects between compliance, development, and marketing technology teams. When a cookie consent policy is put in place, there's rarely a mechanism to validate product development aligns with this policy. This disparity could lead to cookie consent violations.
Another compliance inhibitor are the monetary incentives to keep tracking technologies in place. Adtech and marketing tech are deployed to drive website conversions and revenue. In our experience, incentives and investments in public-facing privacy compliance are often only found in the largest and most sophisticated consumer technology companies.
GDPR isn't the only body concerned about deceptive cookie consent. The FTC in the United States cautions companies against misrepresentation of collecting and sharing user information without explicit consent. In a public letter, they stated, "[T]he Commission considers it an unfair or deceptive act or practice to use tracking technologies such as pixels, cookies, APIs, or SDKs to amass, analyze, infer, and transfer information collected in a Confidential Context for the purposes described in the prior paragraph without first obtaining affirmative express consent. It is also an unfair or deceptive practice to misrepresent or omit material facts regarding the use or confidentiality of information collected in a Confidential Context through tracking technologies such as pixels, cookies, or SDKs."
To maintain alignment with corporate policies and regulatory compliance standards, you should periodically review your cookie, pixels, and mobile app SDKs are behaving as expected. Given the evolution of global privacy regulations combined with changes in your web and mobile apps, AdTech and market tech programs, and third-party services, it's easy to fall out of compliance.
If you have any questions about this report or are interested in seeing a sample of an automated privacy posture review for your web or mobile apps, please reach out to us at info@kaamel.com.
