What can we learn from the mistakes of Jubel?
The first Belgian Cookie fine: what do we learn from six mistakes Jubel made?
The fine of EUR 15 000 is only part of the cost of this sanction. Add to that the legal costs and technical development costs, and we soon arrive at an amount that is easily up to 3 times higher.
Jubel was not a website that was totally out of order, on the contrary: they had installed Cookiebot. Only they were unlucky to be among the first websites selected by the GBA for a check.
The inspection report is publicly available and out of interest we have completely dissected it from a technical point of view. It gives us a better idea of what defects came to light at Jubel.be and how we can learn from it for our own website and that of our customers.
There were also a lot of remarks in the report about a lack of correct legal texts, wrong choice of words, wrong translations ... For this, we work together with our legal partner Sirius Legal for our CookieScan projects.
Can we learn from their mistakes in order to avoid such fines ourselves? But perhaps just as important: how do we ensure that no important data is lost?
First problem: CCPA instead of GDPR
CCPA stands for California Consumer Privacy Act and refers to California law. During the first inspection of GBA on the Jubel website, this legislation was shown instead of the European one. Of course, this was not accidentally implemented incorrectly by the developers. You can set up IP recognition of the visitor in many plug-ins and depending on the country, the visitor will be shown the correct legislation.
Small note: probably the inspector at GBA performed his inspection incognito or behind a firewall, because his IP address was not recognized as a European location. As a result, Cookiebot will default to CCPA. Bad luck for Jubel and the first major trigger for a further investigation.
Solution: make sure that CCPA is not active by default for Belgian websites.
Second problem: No Opt-In
In the first version of the site, cookies were used without the user's consent. In a later version, the boxes to give permission were ticked in advance. These are two practices that often occur, but are not allowed according to the rules. You don't have to be a technician to see if this is wrong.
Solution: always choose Opt-in as a cookie consent method and make sure that only the strictly necessary cookies are checked.
Third problem: texts in the wrong language
The Jubel website is available in two languages and the GBA requires that when a visitor passes by in Dutch, he or she will see these Dutch texts for all texts, including the cookie consent banner, cookie management and privacy. The same applies to French speakers. Extra attention should also be paid to how simple these texts are formulated. Everyone must be able to understand the texts, so using only complicated technical jargon is out of the question.
Take this into account when choosing your cookie solution. Many plug-ins will not have this as standard in their package (but e.g. in an extra license) and will only offer standard English as a language. Also, linking the right language with the right cookie texts will require extra programming and translation work to link this to your website.
Fourth problem: The right to revoke consent
As soon as the user has approved all cookies, there should always be the possibility to withdraw permission on the website. This, too, is hardly possible on any website.
Be sure to check the following on your website; this may be enough to avoid a deeper inspection. For the first four problems, you don't need to be a technical person.
Clear all your cookies (tip: there are many Chrome add-ons for this) and check whether a cookie consent banner is displayed.
Do you have a website in two different languages? Test if the right cookie consent banner is shown.
Does your consent banner contain a link to a cookie statement?
Provide at least two buttons: one with 'allow all cookies' and one with 'set preferences'.
Verify that all cookies are in group and only necessary is ticked.
Does a banner or link appear to adjust cookies after all cookies are allowed?
Fifth problem: Google Analytics cookies are incorrectly referred to as strictly necessary
This is where the shoe pinches at most major sites and this gives us as an agency a lot of headaches. From here on it also becomes a lot more technical.
The problem? If no Google Analytics cookie is fired from the start of the session, chances are we don't know how each new visitor came in (organic, newsletter, Google Ads campaign ...) even though he approved all cookies immediately.
This requires quite some lobbying from our sectors (marketing, e-commerce ...) in order to work towards a possible further relaxation. There are solutions, but these require extra programming work and therefore extensive technical knowledge.
We subjected three random sites with a large annual turnover to the test and checked whether they comply with this rule. The challenge: no GA pageview may be fired if consent has not yet been given.
Conclusion: Very few sites meet this requirement.
Solution: Standard Auto-Blocking. OneTrust blocks all cookies that are not strictly necessary when loading the site, so no data is transmitted. However, it does keep track of where a visitor originally comes from and will still send this data correctly after consent has been given.
Sixth problem: a cookie statement for each cookie
The AVG is not so strict and only requires a more granular choice than simply "all" or "nothing". The Dispute Settlement Commission is of the opinion that in the first instance consent must not be obtained by cookie but by type of cookie.
All cookies must be placed in one of the cookie categories (strict, functional, analytics) ... Manually this is a lot of work, but fortunately there are several cookie scan programs that do this 90% automatically. The judgment showed that Cookiebot had shortcomings in this respect.
Solution: We use the cookie encyclopedia of OneTrust. (link https://cookiepedia.co.uk/). Cookies are added on a regular basis and must always be included in the cookie statement.
The Jubel verdict shows that we are among the strictest in the GDPR class of Europe. It is not enough to install an existing plug-in without extra programming work. On top of that, almost all of our websites are multilingual and the existing solutions are mostly made for one language.
We have looked at different solutions and CookiePro from Onetrust will be the best one for the time being. Because this process requires some technical and legal knowledge, Grava and Sirius Legal have developed a product together to offer a total solution together with the client: the CookieScan.
Request your free CookieScan
Not quite sure if your website is cookie compliant or not? If so, you can always contact us for a free CookieScan, in which we examine the website and uncover a number of possible pain points.
In addition, Grava and Sirius Legal also offer guided workshops and/or full CookieScan trajectories in which we take care of the site from A to Z together.
Would you like to know more?