European Union Cookie Sweep Highlights Need for Improved Compliance

Laura Goldsmith
Proskauer on Privacy
Contact
LinkedIn
Facebook
X
Send
Embed

On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or similar tracking technologies. Notably, the directive purports to reach beyond the borders of European Union to apply to any website directed to or collecting data from European citizens.

To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent.

The report identified several areas for improved compliance with cookie requirements. In particular, covered website operators should, according to the Article 29 Data Protection Working Party, take the following steps to ensure compliance:

  • Obtain consent from the user before using cookies (50% of sites analyzed failed to request consent and merely informed users that cookies were in use);
  • Give adequate notice to users that the website employs cookies as a tracking tool (26% of sites analyzed did not provide any cookie notification on the first page visited);
  • Provide sufficiently detailed information regarding the types and purposes of cookies used (43% of sites analyzed provided inadequate information to users); and
  • Set a reasonable duration period, taking the cookie’s purpose into account (some of the cookies analyzed had duration periods ranging from 68 to nearly 8,000 years, far beyond the average one to two year duration).

The cookie sweep and report highlight the EU’s continued focus on cookie requirements as an enforcement target going forward. The Article 29 Data Protection Working Party plans to leverage the report’s findings to refine policy positions and provide a basis for any coordinated enforcement activity that may be required. As a result, website operators who target or collect data from European citizens should review their cookie notice and choice practices, taking into consideration the ePrivacy Directive’s requirements as implemented in the EU Member States.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer on Privacy | Attorney Advertising

Written by:

Proskauer on Privacy
Proskauer on Privacy
Contact
more
less

Proskauer on Privacy on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide