The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) recently reviewed over 1,000 websites operated in Hamburg for compliance with data protection regulations. As part of an automated audit, the websites were randomly selected and assessed, with a particular focus on the use of third-party services such as Google Ads or Facebook.
Findings:
185 of the audited websites showed data protection deficiencies – mainly because tracking tools were already active upon page load without obtaining valid user consent beforehand.
Most frequently affected services included:
Google Analytics, Google Maps, Google Ads, YouTube, Facebook, Vimeo, and Microsoft Advertising.
New Guidance Available:
As part of the audit, the HmbBfDI published a guideline on how businesses can ensure their websites are compliant with data protection laws.
In most cases, website operators must obtain consent before using cookies or other tracking services. Often, two consents are required (under TTDSG and GDPR), which can be collected simultaneously.
Key requirements for cookie banners:
The selection buttons (e.g., “Accept All,” “Reject All”) should be designed consistently.
- Clearly state the purposes of processing
- List all third-party providers involved
- Provide a link to the privacy policy
- Include information that consent can be withdrawn at any time
Our Recommendation:
Take this opportunity to carry out a data protection audit of your website.