July 14, 2020

Volume X, Number 196

July 13, 2020

Subscribe to Latest Legal News and Analysis

European Union Cookie Sweep Highlights Need for Improved Compliance

On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or similar tracking technologies. Notably, the directive purports to reach beyond the borders of European Union to apply to any website directed to or collecting data from European citizens.

To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent.

The report identified several areas for improved compliance with cookie requirements. In particular, covered website operators should, according to the Article 29 Data Protection Working Party, take the following steps to ensure compliance:

  • Obtain consent from the user before using cookies (50% of sites analyzed failed to request consent and merely informed users that cookies were in use);

  • Give adequate notice to users that the website employs cookies as a tracking tool (26% of sites analyzed did not provide any cookie notification on the first page visited);

  • Provide sufficiently detailed information regarding the types and purposes of cookies used (43% of sites analyzed provided inadequate information to users); and

  • Set a reasonable duration period, taking the cookie’s purpose into account (some of the cookies analyzed had duration periods ranging from 68 to nearly 8,000 years, far beyond the average one to two year duration).

The cookie sweep and report highlight the EU’s continued focus on cookie requirements as an enforcement target going forward. The Article 29 Data Protection Working Party plans to leverage the report’s findings to refine policy positions and provide a basis for any coordinated enforcement activity that may be required. As a result, website operators who target or collect data from European citizens should review their cookie notice and choice practices, taking into consideration the ePrivacy Directive’s requirements as implemented in the EU Member States.

 

© 2020 Proskauer Rose LLP. National Law Review, Volume V, Number 58

TRENDING LEGAL ANALYSIS


About this Author

Laura Goldsmith, Corporate Litigation Attorney, Proskauer Law Firm
Associate

Laura Goldsmith is a corporate associate in the Technology, Media and Telecommunications Group. Her practice focuses on matters in technology, intellectual property, privacy and data security across a range of industries that include life sciences, retail, professional and financial services, communications, media, Internet, software, fashion, entertainment and sports.

Laura represents life science companies in various transactions, including licensing deals, research collaborations and strategic acquisitions. She also advises clients regarding...

212.969.3153