Cookies at the crossroads: the EU's findings on internet privacy


This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

This article was adapted from the original version as published in the March 2015 edition of E-Commerce Law and Policy and  is also available on the Guardian's Changing Business Partner Zone

Today's data-driven world requires businesses to win and maintain consumer trust online, especially with the increasing complexity of privacy regulations across the EU's 28 member states. Regulators have in recent years made a concerted effort to set common standards, including the introduction of the EU Cookie Directive and the proposed EU Data Protection Regulation.

To determine how member states are complying with policies regarding cookies - tracers placed on internet users' hard drives by the web hosts of a visited site - EU's Working Party 29 (WP29) conducted a 'Cookie Sweep Day' last year to see how cookies are being used by websites and signposted to viewers across various sectors.

WP29's recent report has served as a wake-up call for several EU states on compliance with policies on cookies. While they can be helpful in remembering users' preferences and recording shopping basket items, the report demonstrated that terms and conditions are often difficult to spot, if they exist at all. In fact, the main issues identified by the report was the 'user consent' is often not defined in EU member states' legislation and guidelines may be useful in order to help online businesses anticipate how to act with regard to cookies.

The report also found:
  • Only seven websites out of the 478 examined did not use cookies, and of those, they had an average 34.6 cookies per site - with 22 websites setting more than 100 cookies.
  • 26% of websites swept did not inform users at all that cookies were being used.
  • Of the websites that were considered not to provide sufficient information to the user, the report found that the notification was either (i) not suitably visible or (ii) that the visibility could be improved (39%) in order to allow the user to make a more informed choice about the adopted cookie policy.
  • Information provided in the cookie notice was also scrutinised to analyse informed user consent. 43% of the websites did not provide a satisfactory level of information concerning the types or purposes of cookies used. Where 50% of the websites asked users to give explicit consent, the rest displayed the simple notice 'we use cookies' or similar.
  • Just 16% of websites offered the user granular control over cookie usage, meaning that the user is offered the choice to agree on specific types of cookies, but can decline others. The 84% did not implement such a tool, forcing the user to tweak web browser settings to alter and control cookie usage.

The 'Cookie Sweep Day' report findings make clear that cookies stand at a crossroads between technological innovation and public policy.

While most cookies are inherently harmless to users and assist e-commerce efforts, the report shows that various interpretations of the local implementation of the cookie rules do not make compliance straightforward for companies or users. Furthermore, only a small percentage of websites swept offer the user a choice to customise their cookie settings, and therefore, provide control over what online activity is tracked.

In this rapidly evolving technological world, legal requirements must be clear in the development of next-generation tracking mechanisms if they are to be greater adopted by industry players and website users alike.