New analysis reveals:
Netflix, Spotify and Amazon failings on GDPR
Brussels/Washington – Tracking by default and confusing privacy policies: A new report by the Transatlantic Consumer Dialogue (TACD) and Heinrich-Böll-Stiftung Brussels European Union highlights the need for GDPR enforcement.
The research used a mixture of anonymous testers, requests for access to personal data made by volunteers, and an analysis of existing EU and US legislation. It found the companies:
- Use default settings that allow third parties to track users. Amazon was found to be the platform with the most intrusive third-party tracking, and Netflix was the one with the least.
- Do not obtain valid opt-in consent for cookies, which record the user’s browsing activity, and instead rely on implied consent, which is in contradiction to the requirements of the e-privacy Directive. Spotify, for example, installed an automatic advertisement cookie on the website app without obtaining consent.
- Apply privacy policies that are ambiguous about what data the companies collect and why, meaning key transparency obligations under GDPR are not met. For example, the Netflix privacy notice advises that personal information may be processed for ‘other purposes described in the Use of Information section of this Privacy Statement’, but such purposes are not expressly defined in the statement.
- Use design features and wording which support privacy intrusive defaults. For example, Spotify advises those who seek to disable cookie tracking that in doing so, it may negatively impact their experience, but does not explain why.
- Were found to have increased privacy settings and choices in the EU when compared with the US, especially in relation to data access requests through Amazon US.
The GDPR entered into force in May 2018, granting strong privacy protections on collecting, storing, sharing and using personal data to everyone who resides in the EU.
None of the companies complied fully with GDPR when personal data access requests were made by the study volunteers. The personal data supplied by Spotify EU does not appear to contain all the categories of personal data variously set out by Spotify in its privacy related notices, and to which people are entitled to under the GDPR. For example, no profiling data was supplied to any of the volunteers making requests, nor was data obtained by the companies from third parties.
The research also compared the extent to which US-based customers benefited from similar rights to EU-based customers of the three companies. It found that American consumers were subjected to even more intrusive tracking, had less transparency and did not have the same right of access to their data as EU citizens.
Finn Myrstad, TACD’s EU Digital Policy Committee chair, said: ‘Privacy rights and safeguards have never been more important, but the findings show that companies in the EU are not moving fast enough to fulfil their requirements under the GDPR. It is important that regulators take bold steps in enforcing the rules that safeguard consumer privacy and security.’
Zora Siebert, Head of EU Policy Programme at Heinrich-Böll-Stiftung Brussels European Union, said: ‘Privacy policies should not require 20 minutes to read and should not be difficult to comprehend. Pre-ticked boxes do not help to inform users about data tracking and do not allow active consent to being tracked by advertisers. Robust enforcement mechanisms must be in place to ensure that people’s privacy rights are protected in the same way as fundamental human rights.’
TACD and Heinrich-Böll-Stiftung Brussels European Union recommend that in the EU, regulators step up enforcement of existing privacy legislation, whilst consumer and privacy organisations continue to pressure and litigate against non-compliant company practices. Meanwhile in the US, there is a need to establish a baseline federal data protection and privacy law that does not pre-empt stronger state privacy protections and that creates an independent data protection agency.
Notes to editors
The report can be found here.
For press comments please contact Alexandra Graziano
E-mail: agraziano@consint.org
About TACD
The Transatlantic Consumer Dialogue is a forum of US and EU consumer organisations which develops and agrees on joint consumer policy recommendations to the US government and European Union to promote the consumer interest in EU and US policy making.
TACD champions the consumer perspective in transatlantic decision making. It is our mission to ensure that EU/US policy dialogue promotes consumer welfare on both sides of the Atlantic and is well informed about the implications of policy decisions on consumers.
About Heinrich-Böll-Stiftung
Fostering democracy and upholding human rights, taking action to prevent the destruction of the global ecosystem, advancing equality between women and men, securing peace through conflict prevention in crisis zones, and defending the freedom of individuals against excessive state and economic power – these are the objectives that drive the ideas and actions of the Heinrich Böll Foundation.
While the foundation maintains close ties to the German Green Party, it works independently and nurtures a spirit of intellectual openness. The foundation maintains a worldwide network with 32 international offices at present.