On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or similar tracking technologies. Notably, the directive purports to reach beyond the borders of European Union to apply to any website directed to or collecting data from European citizens.

To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent.

The report identified several areas for improved compliance with cookie requirements. In particular, covered website operators should, according to the Article 29 Data Protection Working Party, take the following steps to ensure compliance:

  • Obtain consent from the user before using cookies (50% of sites analyzed failed to request consent and merely informed users that cookies were in use);
  • Give adequate notice to users that the website employs cookies as a tracking tool (26% of sites analyzed did not provide any cookie notification on the first page visited);
  • Provide sufficiently detailed information regarding the types and purposes of cookies used (43% of sites analyzed provided inadequate information to users); and
  • Set a reasonable duration period, taking the cookie’s purpose into account (some of the cookies analyzed had duration periods ranging from 68 to nearly 8,000 years, far beyond the average one to two year duration).

The cookie sweep and report highlight the EU’s continued focus on cookie requirements as an enforcement target going forward. The Article 29 Data Protection Working Party plans to leverage the report’s findings to refine policy positions and provide a basis for any coordinated enforcement activity that may be required. As a result, website operators who target or collect data from European citizens should review their cookie notice and choice practices, taking into consideration the ePrivacy Directive’s requirements as implemented in the EU Member States.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Laura E. Goldsmith Laura E. Goldsmith

Laura Goldsmith is a partner in the Technology, Media and Telecommunications Group and member of the Privacy & Cybersecurity Group and Life Sciences Group. Her practice focuses on matters in technology, intellectual property, privacy and data protection across a range of industries including…

Laura Goldsmith is a partner in the Technology, Media and Telecommunications Group and member of the Privacy & Cybersecurity Group and Life Sciences Group. Her practice focuses on matters in technology, intellectual property, privacy and data protection across a range of industries including life sciences, media, entertainment, sports, sports betting, software, professional and financial services, healthcare, retail, fashion and communications.

Laura structures and negotiates complex technology transactions, such as license agreements, joint development agreements, supply, manufacturing or other services agreements, and software-as-a-service agreements.  In particular, she regularly represents life science companies in licensing deals, co-commercialization arrangements, research collaborations, strategic acquisitions, and other transactions.

Laura also counsels clients in navigating compliance with international, federal and state laws related to privacy and data protection in the context of transactions, vendor relationships, internal compliance and external-facing policies.  She is an editor of and contributor to Proskauer’s Privacy Law Blog and contributor to the State Privacy Laws and Financial Privacy chapters of the Proskauer on Privacy treatise published by PLI.

Laura is a member of the Proskauer Women’s Alliance Steering Committee and previously served as its co-chair.

Prior to her legal career, Laura worked as a consultant to global pharmaceutical companies formulating drug development strategy and clinical trial design. She also conducted scientific research in pharmacology and biology at Duke University Medical Center and her research has been published in peer-reviewed journals.

While at Boston University School of Law, Laura served as the Editor-in-Chief for the Review of Banking & Financial Law and interned for Judge Kiyo A. Matsumoto of the U.S. District Court for the Eastern District of New York.