1. The website collects data without the visitor being aware of it
The developer has installed Facebook (Meta) Pixel, Google Analytics, or cookies from Youtube, Tiktok Ads, Google Adwords on our website with the excuse "this will be good for something else". All of these applications collect a lot of data about our website visitors so that we (or others) can serve them personalised, targeted ads or analyse website traffic.
In its fine against TV2, the DPA said that these data collections must be disclosed to website visitors in a concise, understandable and clear way. Otherwise, as with TV2, a fine of up to HUF 10 million could be imposed.
2. The cookie banner design is flawed
Our developer will have told you that there should be a cookie banner on the website. However, the point of a cookie banner is not just that there is one, but that the website visitor can use it to control what data the website collects about them. The cookie banner must therefore be capable of actually allowing the visitor to disable, for example, the aforementioned data collection and analysis.
If the cookie banner contains an "I accept all" button, it should also contain an "I reject all" button. The "I accept all" button should not be larger, more challenging in colour or better positioned than the "I reject all" button, as the visitor should be in a real, actual position of choice when deciding whether to allow data collection through the website.
It is also a common mistake and unlawful practice (typically in the case of cookie banners at the bottom of websites) for a website to start collecting data through cookies before the visitor actually clicks on the "I accept" button. Anyone can check the cookies that are running on websites by clicking on the three dots in the top right corner of their Chrome browser and then clicking on "More Tools", "Developer Tools", "Application", "Cookies". In this way, anyone (including the authorities) can see if, due to inappropriate website settings, analytical or marketing cookies are already collecting data before clicking on the "Accept" button.
3. Mandatory company information is not included on the website
Pursuant to Article 63 (2) of the Companies Act (Act V of 2006), companies operating as limited liability companies and companies in the form of joint stock companies are obliged to include on the website, among other things, the name of the court registering the company, the name and registered office of the company and the company registration number. This information is regularly missing from websites, although it is a legal obligation.
4. The name of the privacy notice is incorrect
Many people are unaware that the correct name for the privacy notice text on a website is not "privacy policy" or "privacy statement", but "privacy notice". A privacy policy is a type of document as defined in Article 17 of the Labour Code, and privacy policies are typically adopted by groups of companies, so the correct name for the privacy "text" posted on a website is a privacy notice.
If we do not take this into account before opening and reading the document, our company could lose its reputation in a possible investigation by the authorities.
5. Other typical errors
It is also common that the text of the privacy notice is not only inadequate in name but also in content. For example, in the case of web shops, there is no mention of the fact that the website "shares data" with the payment service provider (Barion, Stripe, Otp, etc.) or, in addition to the tick box accepting the GTC, there is no reference to the fact that payment is required for the order.
It is also a common mistake to have a cookie banner on the website even if the website does not run cookies at all. In such cases, it is unnecessary to create a cookie banner. So please ask our developer to only place a cookie banner if the website is actually running cookies.
We also ask our lawyer, who is experienced in the legal design of websites, to review our website and advise on how to improve it.