The new European General Data Protection Regulation (GDPR) entered into force on 25 May 2018.
The most important GDPR related changes concerning cookies are:
- Cookies are regarded as online identifications and thus as personal information.
- The collection and processing of personal information (including cookies) requires the visitor’s consent.
- Visitors must be able to revoke their consent for receiving cookies at any time. (In the same simple way as the consent for receiving cookies was given.)
- A legitimate interest can be claimed for necessary cookies, which are necessary for the operation of the website.
- It is not possible to assert a justified interest for targeting cookies which transmit the user information of the website to social media networks and advertising networks to be used for profiling and targeting purposes or for the use of re-marketing. Explicit consent is required for these cookies.
GDPR also applies to Swiss websites and companies that address their services to EU citizens or collect and process data from EU citizens. This means that a cookie banner is mandatory for all of these Swiss companies addressing and collecting data from EU citizens.
Do Swiss Websites Comply with GDPR?
Two months after GDPR came into force, we analyzed one hundred websites from the top 500 Swiss companies. These hundred websites were selected from all industries. The Swiss version of the website was subjected to a manual check to determine whether the website contains a cookie banner and what cookie management options are available.
Only 50% have a Cookie Banner
Exactly half of all websites have a cookie banner that prominently informs the visitor about the cookies used on the website. Luckily for these companies, the current Swiss Data Protection Act does not (yet) prescribe cookie banners.
- 11% of websites have only one information banner, which can be closed or disappears when clicking on a link on the site.
- 27% have an OK or Accept button on the banner in addition to the information.
- 12% offer additional cookie settings in the cookie banner.
Only 6% of Cookie Banners Comply with GDPR
According to GDPR, website visitors must be able to give their consent to cookies individually for each cookie category. A distinction is made between the following four cookie categories:
- Strictly necessary cookies: These are CMS cookies, for example, without which the website would not function. Here an implicit agreement from the website visitor is sufficient.
- Functional cookies: These can be cookies that guarantee the functioning and accessibility of the website. Here, too, an implicit consent from the visitor is sufficient.
- Performance cookies: These are cookies that measure the use of the website, such as web analytics tools like Google Analytics. Here too, an implicit agreement is sufficient.
- Targeting cookies: These are marketing cookies that track visitors to the website for retargeting and profiling purposes, for example from social media networks such as Facebook. These cookies require the explicit consent of the website visitor.
We have found the following cookie approval models on the Swiss websites:
- No cookie banner: all cookies are set without notice.
- Cookie banner with a notice: All cookies are once again set, but with notice that you agree to this through further use of the website.
- Cookie banner with consent model: For all cookies except the necessary cookies an explicit consent of the visitor is obtained. Without which, these cookies will not be set.
The distribution of these three models is as follows:
- 50% of websites do not have a cookie banner and all cookies are set without consent.
- Only 6% of all websites are 100% GDPR compliant and only set the necessary cookies. For all other cookie categories, the visitor must give explicit consent, without which they will not be set.
The results indicate a high degree of uncertainty among Swiss companies as to how GDPR should be applied in Switzerland. Many do not seem to know exactly what applies to Swiss companies and what GDPR means for their websites.
It is true that GDPR, as a general regulation, does not deal in great detail with all questions relating to digital communication. In these areas, the EU e-Privacy Regulation, which is expected to be introduced in 2019, will create further clarity in the handling of electronic data.
However, GDPR as a basic regulation represents a fundamental right of every European and can already be applied to the processing of personal data.
In summary, with over 50% of websites using a cookie banner, it is clear that GDPR is also an issue for Swiss companies and that their websites for European visitors are being adapted.
Nevertheless, only a very small proportion (6%) of the websites are GDPR-compliant.
Company websites that fall under GDPR are recommended to check their online channels in accordance with GDPR in order to avoid warnings and fines.