While only a small number of websites were targeted in the sweep, the results indicate a total lack of even basic information regarding privacy and the inability for users to give unambiguous consent for the placement of tracking technologies or cookies on their devices.
Read full report here
The DPC states that “most ordinary users will not be aware of the extent to which they may be tracked across their devices at home and at work, and across their browsing, reading and social habits”.
Although users are rarely tracked by name, the ability to track them by unique identifiers set through cookies means users are being targeted as individuals.
Such targeting/profiling is subject to the GDPR and requires valid consent from the users of the website.
Six month grace period before enforcement
The fact that bad practices are widespread even among companies and websites that are household names suggests a more systemic issue that must be tackled.
The new guidance will be followed by possible enforcements where controllers fail to bring themselves into compliance voluntarily.
The DPC sets the grace period to six-months for websites to get compliant.