Study finds 81% of French companies are not compliant with GDPR

In 2022, we are celebrating the 4th anniversary of the General Data Protection Regulation implementation in Europe. This regulation has been created to ensure a sufficient level of protection when it comes to the personal data of European citizens. It applies to every single company storing and recording data in the EU. Today we will analyze and review several companies to check whether they are compliant or not.

What are GDPR obligations for a website?

Most websites gather data by using different types of cookies and trackers. Under GDPR, some rules should be respected while collecting personal information. You can find more details in this post. We will here summarize some very important points recommended by the French Data Protection Authority, the CNIL (Commission Nationale Informatique et Liberté) : 

• Before presenting users with the option to accept or reject cookies, the cookie consent banner must provide information about the purpose of cookies or the cookie category. A brief description should follow each purpose.
• Unessential cookies should not be placed before the users made a clear choice.
• The cookie banner must include a link that points to a cookie policy (or privacy policy) page containing detailed information about cookies and services in straightforward, clear and transparent language.
• The "Accept All” and “Reject All” buttons must be of the same color, same level and prominence. 
• Avoid pre-ticked boxes or pre-activated toggle switches. 
• Allow your visitors for granular consent.
• Renew all cookie choices after 6 months.
• Visitors should have the option to withdraw their consent at any time (through a preference center).
• Consents should be securely stored and documented to be legally legitimate.

Let’s take two concrete examples to illustrate. 

One example: the real bad one.

In the example below, you can see a perfect example of a bad player. This company is infringing on several requirements from GDPR :

• The cookie banner does not have any real effect on cookies being placed, or not. 
• No Opt-in, no Accept All and Reject All buttons.
• Impossible to modify/withdraw consent.
• Unessential cookies are being placed before any consent is given. (that’s a very bad one).
• No Privacy nor Cookie policy is clearly stated.

This company is accumulating infringements. If any authority decides to control them, they are risking some heavy penalties and important brand reputation damage. 

Another example: the almost good one, but still not compliant.

• Real cookie banner, Accept all and Reject all buttons.
• Privacy and cookies policies are in place.
• Granular choices are available.
• Ability to withdraw consents.
• Unessential cookies are still being placed before consent…

This other company is doing almost everything well but is not compliant on one very important point. Probably the solution they are using does not include automatic cookie blocking, if it does, then it means they are doing it on purpose. Because let’s face it, data has a lot of value and some companies are not willing to give up on even a tiny portion of it.

Do companies meet all of those requirements?

The short answer is no. We audited 300 European websites, from small to midsize companies to enterprise corporations. What we found out was expected but still shocking: 81% of those companies are not compliant with GDPR. Some of them are doing a few things right, some others are doing everything wrong. Something we notice quite often is that those non-compliant companies are underestimating the risk, even if numbers are there.

In 2021 more than 14 000 complaints were filed to the CNIL. This was a complete record and the DPA is stating that they aim to increase their controls and sanctions in the upcoming years. As a reminder, not complying with GDPR can end in a 4% annual worldwide turnover fine. As a result of these controls, the CNIL imposed more than €214 million in financial penalties (compared to €138 million in 2020).

Underestimating the risk and overestimating the compliance process.

Many DPOs would love their website to be 100% compliant and most of them are truly convinced of the benefits of GDPR implementation. While talking to many of them, we sometimes noticed their feeling of responsibility was limited only to personal training and raising awareness. They are quite limited in the actions they can engage in. Usually, a DPO will reply that ultimately, it is the legal responsibility of the CEO. That is a big mistake. A DPO should be the direct representative of GDPR within the company. You can find more information on five recurring problems that DPOs are facing regarding GDPR compliance and how to solve them.

The GDPR seems complicated, it contains a lot of legal wording and seems like a hard to read hundred pages document. That appears quite heavy and almost impossible to address. GDPR has been complexified. Hopefully, many companies are here to vulgarize it and make it understandable. Some organizations even created diverse technologies aimed to directly tackle this ongoing problem.

Some companies even adopted a Privacy by Design approach, which we strongly encourage.

At Secure Privacy, we try to make GDPR and every other Data Privacy law as easy to understand as possible. Our mindset is to analyze and understand legal inputs and turn them into a technology output and concrete steps and actions to take. 

How to ensure my website is compliant?

There are many ways to analyze if your domain is compliant or not. One of them is to take advantage of the Secure Privacy GDPR compliance scanner to get insights and recommendations quickly. Our scanner will : 

• Automatically find and categorize which cookies you are placing.
• Analyze where problems are and how to solve them.
• Understand the validity of your cookie/privacy notice.
• Evaluate any risks of potential data breaches.
• End-to-end encryption detection.

If your website is not compliant, you want to have a look at some Consent Management Platforms and be sure the solution you choose meets legal requirements.

Conclusion

Having a compliant website is not a nice-to-have but a must-have. A lot of website owners are misevaluating and underestimating the risks of not being compliant. In case of infringements, the consequences are severe. It is not only about receiving a fine, it is about customers’ transparency, respect, and considering their data very seriously. Violating legal requirements is never good advertising for any company.