Two-thirds of Belgian websites do not comply with GDPR legislation
Universem and Lexing have audited 100 of the largest Belgian websites
Exactly four years ago, the General Data Protection Regulation (GDPR) came into force. As a result, all companies had to implement a stricter data and privacy policy, including on their website. But two thirds of Belgian companies still do not seem to comply with the GDPR rules for websites. This is according to a survey conducted by online marketing agency Universem and Lexing.
The GDPR rules have fundamentally changed data processing. Companies are required to apply a series of safeguards for the use, processing and storage of personal data collected online. These concerns, among other things, cookies. Through a combination of tracking and profiling, cookies have become the most common way to track the behavior of web users in order to send them targeted messages. The processing of personal data collected by cookies must comply with the rules of the GDPR. In addition, their installation and use is also subject to the online privacy law, which is stricter in Belgium as the user must give explicit permission before cookies are installed.
Only 6 out of 100 sites are fully compliant
Universem, in collaboration with Lexing, conducted a study on the application of the GDPR legislation on Belgian websites. The study was carried out on 100 websites of large companies, based on the “Top 5000” of the magazine Trends-Tendances. The selection was made on the basis of turnover and the presence of a .be site.
All sites were studied and analyzed according to different criteria and scored on 18 points. This made it possible to classify them into four categories, ranging from « not at all compliant with the GDPR » to « fully compliant with the GDPR ».
Only 6% of the analyzed sites are fully compliant and score above 15.5 out of 18. Twenty-eight percent score between 11.5 and 15.5 out of 18. This means that 34% of companies are compliant with the majority of the rules and strive to put the protection of their users’ data at the top of their priorities.
28% scored between 6.5 and 11.5 out of 18 and are considered « low compliance ». And the largest group scored less than 6.5 out of 18 and are considered, « not at all compliant with the GDPR ». This study thus shows that 66% or two-thirds of the companies analyzed have not installed sufficient controls and safeguards.
Cookie banners: well established, but that does not tell the whole story!
After the entry into force of the ePrivacy Directive and the GDPR, the number of banners and pop-ups informing Internet users about cookies has increased considerably. The Universem and Lexing study shows that 86% of the sites analyzed have a cookie banner.
Twenty percent of these banners only warn the user that cookies will be installed if he continues his visit (informative banner). Eight percent offer the possibility to refuse or accept all cookies with a single click (single level consent). The majority, 58%, use a more advanced application and offer a selection, sometimes very advanced, of the types of cookies allowed (multi-level consent).
Nevertheless, the researchers conclude that there are still things wrong with the banner allowing visitors to give their permission for cookies. In almost half of the cases, a cookie is already set, before the user has expressed his or her opinion. This also goes against the spirit of the GDPR regulation.
Finally, having a banner is a start, but is not enough to comply with the entire ePrivacy Directive and the GDPR. Sites must also contain more general information about the data processing being done.
On this point, the results of the study are rather optimistic. Most of the companies surveyed are aware of the rules on user data protection and explicitly state this on their sites. Seventy-nine percent of the companies have a privacy policy on their site and 63% have a cookie policy.
Financial penalties and image damage
The Data Protection Authority (DPA) monitors the compliance of digital marketing, analytics and cookies. The risks of investigation and financial penalties are real. They can amount to 4% of the global turnover of the group to which the penalized company belongs.
In addition to the risks of sanctions in case of non-compliance, companies must not lose sight of the fact that Internet users are increasingly aware of their rights and are sensitive to the respect of their privacy. The number of questions, complaints and court rulings regarding data protection and privacy has increased significantly in recent years. Transparency at this level is an important value for the brand image of companies.
Hubert de Cartier, Universem: « Over the last 4 years, we have seen a considerable increase in consumer interest in privacy. They want to know how their data is being used by companies. Organizations can’t ignore this legitimate demand, as it can be detrimental to them, notably through fines, but also through diminishing trust, or even disappearing altogether. We therefore advise our clients to think about a long-term strategy with regard to data collection, marketing strategies and communication. A useful rule of thumb already applies to almost everyone: don’t collect data you don’t need. »
Alexandre Cassart, Lexing: « Beyond the vaguely annoying anecdotal character of cookie banners, all stakeholders must understand the importance of data processing carried out by websites and their necessary transparency. If not, the Data Protection Authority will take care of reminding them by hitting the companies in the wallet. »
The press is talking about it!
In French:
- La Libre : Seulement 6 % des sites protègent vos données privées
- La Première : Le marché matinal : Quid du RGPD, 4 ans plus tard ?
- Solutions magazine : GDPR : 66 % des sites web belges pas conformes
- pub.be : Universem et Lexing ont audité 100 des plus grands sites web belges
- CCI mag’ : 2/3 des sites internet belges ne sont pas conformes à la législation RGPD
- Régional-IT : Beaucoup de sites Internet de grandes entreprises toujours pas conformes au RGPD
In Dutch: