German DPA says Google must fix consent banners

Julie Rubash, Chief Privacy Counsel
April 11, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


CNIL Issues AI Guidance

The French Data Protection Authority (the CNIL) posted guidance titled Artificial Intelligence, what are we talking about?

The guidance defines artificial intelligence and provides examples of areas where it commonly used, pointing out potential harms of AI, and reminding that, under the GDPR, data subjects have a right not to be the subject of decisions made exclusively on automated processing which produces legal effects or significantly affects him. 


 Of particular note, the guidance includes a section on online profiling algorithms, titled Tell Me What You’re Looking For: I’ll Tell You Who You Are, including steps companies using AI for online profiling should take to reduce harms.

The CNIL’s recommendations include

  1. minimizing the data collected for profiling purposes,
  2. favoring transparency and informing users of the profile that corresponds to him,
  3. analyzing the categories of data collected to identify if they could lead to discrimination,
  4. promoting the explainability of the algorithm as a whole and on each of the decisions made,
  5. allowing the data subject to take control of the profile that characterizes them. 

EDPB Outlines Requirements for EU/US Data Transfer Agreement

The European Data Protection Board (EDPB) issued a statement welcoming the agreement in principle between the European Union and the United States for transatlantic data flows, but cautioning that the agreement will need to overcome a number of hurdles before the announcement can become a legal framework that can be relied upon for data transfers to the United States.

In particular, the European Commission will be required, under GDPR, to seek the opinion of the EDPB before adopting a possible new adequacy decision.

The EDPB says that it will examine whether the proposal addresses the concerns raised by the Court of Justice of the European Union in the 2020 Schrems II decision, including whether the proposed reforms ensure that the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate and whether they respect EEA individuals’ rights to an effective remedy and fair trial. 


Details of the proposed agreement have not yet been made publicly available, but based on a White House fact sheet, the agreement would involve implementation of new safeguards to ensure that U.S. intelligence activities are necessary and proportionate in the pursuit of defined national security objectives and would create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by intelligence activities, which appears on its face to be consistent with the EDPB’s requirements. 

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) notified Google that its search engine and YouTube consent banners do not comply with data protection requirements, specifically citing that consent and reject options are not equally quickly and easily accessible, which it says is noncompliant with both the GDPR and Germany’s TTDSG.

Thomas Fuchs, the Hamburg Commissioner for Data Protection and Freedom of Information, said “a reject all button must now become the standard for cookie banners” and noted that the request was also sent to other media houses, in addition to Google. 


The Hamburg Commissioner’s position is consistent with previous sentiments from other EU DPAs, including the CNIL in France, which issued sanctions against Google and Facebook early this year based on a finding that the companies’ respective cookie banners did not allow for rejection as easily as acceptance.   

Germany DPA Issues Annual Report

Germany’s Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, presented an annual activity report to the German federal parliament (Bundestag) president, outlining the focal points of the commission and upcoming important issues of data protection and freedom of information.

As “main topics” the Commissioner outlined issues related to Covid-19, artificial intelligence, and employee data protection.


Although digital advertising was not listed as a “main topic” in the report, it does include the Commissioner’s opinion, when commenting on the Digital Services Act in its current form, that “I would have wished for a bolder approach, particularly with regard to personalized advertising, and I am committed to a ban on certain tracking and profiling practices.” 

CNIL Sends Notices re Non-compliant Commercial Prospecting Transfers

The French Data Protection Authority (CNIL) announced that it sent formal notice to three organizations for transmitting personal data without a valid legal basis to third-party partners for commercial prospecting purposes via telephone, email or SMS. The organizations will have three months to bring themselves into compliance to avoid fines.


The CNIL published guidance and FAQs earlier this year regarding data processing in the context of commercial activities, including a section specifically addressing commercial prospecting.

The guidance outlines detailed requirements for transferring data to third parties for commercial prospecting via telephone, email and SMS, including that consent must be obtained on the medium of data collection, making specific disclosures to ensure the data subject understands the extent of the consequences of their choice.

Of particular note, the FAQs clarify that these standards for commercial activities specifically exclude profiling carried out from data collected from third-party sources, as well as activities carried out from data collected through cookies and other tracers, standards for which are addressed in separate guidance. 

Latvia’s data protection authority (DSI) published guidance for citizens (users) about cookies used by merchants when providing goods and services, including information on types of cookies, how cookies process personal data, and what user rights are available with respect to cookies.


Although the publication is directed at consumers, it also includes insight into what the DSI expects from merchants with respect to cookies and user rights.

For example, the guide includes information on user choice and provides an example of what a recommended cookie statement might look like. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]