ETSI global standard for IoT cybersecurity and Bavarian DPA cookie raid

LawBytes #34 deals this week with the new ETSI standard for cybersecurity in the Internet of Things and Bavarian DPA cookie raid.

IoT – ETSI standard for consumer IoT cybersecurity

The ETSI (the official EU body supporting European regulations and legislation through the creation of harmonised standards) Committee on Cybersecurity just released a standard for cybersecurity in the Internet of Things, to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.

The new standard addresses the privacy related issues that should be considered in the product design phase and brings together widely considered good practices in cybersecurity for internet-connected consumer devices in a set of high-level outcome-focused provisions to support all parties involved in the development and manufacturing of consumer IoT with guidance on securing their products.

As more devices in homes connect to the Internet, cybersecurity of the Internet of Things (IoT) is becoming a growing concern. Products and appliances that have traditionally been offline are now becoming connected and need to be designed to withstand cyber threats. People entrust their personal data to an increasing number of online devices and services and this standard can help ensure that these are compliant with the GDPR.

If you are interested in this topic don’t miss our previous posts: “ENISA IoT security guidelines” and ““NIS Directive applicable, is your cybersecurity plan compliant?“.

Privacy – Bavarian DPA Website Cookie Practices inspection

Following the Safer Internet Day of last February 5th 2019, the Data Protection Authority of the German state of Bavaria announced a special inspection campaign to examine prominent Internet services and to determine whether the websites which are accessed daily by millions of German citizens handle cookies appropriately.

The results of the Cookie Sweep show that none of the 40 large companies’ website cookie and user tracking practices assessed by the Authority have proven to be GDPR compliant.

The audited companies belong to different industries such as online retail, automotive & electronics, media and banking & insurance.

With particular regard to the websites’ cookie practices, the inspection highlighted the following main issues:

• Lack of transparency regarding the website’s use of tracking technology (consent was not sufficiently “informed”);
• Automatic tracking (no “prior” consent was collected from users);
• Cookie banners could not provide an effective user’s consent collection (the consent obtained was not sufficiently “active”).

The Bavarian DPA has announced it is considering to issue GDPR fines. Following the massive CNIL fine issued against Google (Read the article “What does Google € 50 million GDPR fine mean for privacy compliance?“), the DPA’s action potentially signals that cookies, user tracking, and online advertising are becoming a hot topic for EU privacy authorities. Furthermore, considering that cookie compliance can be audited at any time in less than 10 minutes, companies should prioritize getting their cookie practices straight since it is clearly an issue that can that can carry GDPR fine risk.

If you are interested about this topic be sure not to miss our previous post: “Canadian guidelines on privacy consent” and “ePrivacy regulation latest version gets harder“.