The Dutch privacy regulator, Autoriteit Persoonsgegevens (AP), recently imposed a fine of €40,000 on Coolblue for unlawfully processing personal data without obtaining explicit consent from users. The decision highlights the growing emphasis on companies adhering to the General Data Protection Regulation (GDPR), particularly when dealing with cookie data collection practices.
According to the AP, the investigation revealed the company had collected data from webshop visitors by assuming their consent simply through website usage. Visitors were not provided with the opportunity to opt-in actively, as the organization pre-ticked boxes for cookie permissions, which is strictly forbidden under GDPR guidelines.
The AP started examining compliance with cookie-powered websites like Coolblue.nl back in late 2019, after receiving numerous complaints from the public about cookie usage without consent. Following this, the regulator sent Coolblue a warning letter pointing out deficiencies within its cookie policies. Compliance checks revealed the company had not made the necessary adjustments by early 2020, resulting in the formal investigation.
By June 2020, Coolblue had modified its cookie policies to align with legal standards, but the incident served as a reminder of the importance of transparent consent practices for users. The AP is ramping up its efforts to monitor compliance with cookie laws, especially since the establishment of more stringent guidelines and public frustration over misleading cookie banner messages.
The regulator's guidelines point out the need for cookie policies to provide users with straightforward options for refusing cookies without unnecessary hurdles. To aid organizations with compliance issues, the AP has been proactive, issuing recommendations and launching campaigns aimed at raising public awareness concerning cookie privacy.
Another significant incident involving data privacy occurred within law enforcement when the Sault Ste. Marie Police Service experienced a ransomware attack on August 26, 2021. The situation escalated when IT staff received urgent alerts indicating two of their computer servers had gone offline.
The attack exploited vulnerabilities within their email server's software, locking police staff out of their own administrative and records management systems. The police acknowledged the occurrence of the attack four days later, emphasizing, “At no time was our ability to respond to calls for service compromised.” This response, albeit reassuring, led to scrutiny from Ontario's Information and Privacy Commissioner.
The commissioner, John Gayle, found discrepancies between the police's account of the incident and his assessment, stating, “Respectfully, I disagree with the police’s position... I am not satisfied the police responded adequately to the breach because they have not reviewed their policies and practices.” Gayle's investigation revealed sensitive information had been affected, including human resources data, finance services, public complaints, and closed-circuit television footage, intensifying privacy concerns.
The police and the commissioner differed on whether the attack constituted a genuine privacy breach. The Sault Ste. Marie police argued there was no breach since the data was not stolen but encrypted; Gayle refuted this, asserting the encryption nonetheless represented handling of personal information, violating the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).
Following the attack, the police department took steps to secure their IT infrastructure, migrate to cloud-based email servers, increase network segregation, and monitor server activities more rigorously. These changes, acknowledged within Gayle’s report, were deemed necessary yet insufficient, as concerns lingered over the adequacy of overall data protection measures.
Despite the police's reassurance, the report outlined a need for continuing scrutiny. Gayle emphasized the importance of monitoring how data related to personal information was instituted and handled post-breach. Consequently, he mandated the police to review their practices and report back within three months.
These two incidents reinforce the pressing need for organizations, including law enforcement and commercial entities, to prioritize data privacy, comply with established regulations, and maintain transparent practices. The consequences of failing to do so, as illustrated by the penalties imposed on Coolblue and the scrutiny faced by Sault Ste. Marie Police, can lead to significant reputational damage and erosion of public trust.