4 Years of EU Cookie Law: Results and Lessons Learned

Open access

Abstract

Personalized advertisement has changed the web. It lets websites monetize the content they offer. The downside is the continuous collection of personal information with significant threats to personal privacy. In 2002, the European Union (EU) introduced a first set of regulations on the use of online tracking technologies. It aimed, among other things, to make online tracking mechanisms explicit to increase privacy awareness among users.

Amended in 2009, the EU Directive mandates websites to ask for informed consent before using any kind of profiling technology, e.g., cookies. Since 2013, the ePrivacy Directive became mandatory, and each EU Member State transposed it in national legislation. Since then, most of European websites embed a “Cookie Bar”, the most visible effect of the regulation.

In this paper, we run a large-scale measurement campaign to check the current implementation status of the EU cookie directive. For this, we use CookieCheck, a simple tool to automatically verify legislation violations. Results depict a shady picture: 49 % of websites do not respect the Directive and install profiling cookies before any user’s consent is given.

Beside presenting a detailed picture, this paper casts lights on the difficulty of legislator attempts to regulate the troubled marriage between ad-supported web services and their users. In this picture, online privacy seems to be continuously at stake, and it is hard to reach transparency.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Chrome DevTools Protocol. https://chromedevtools.github.io/devtools-protocol/.

  • [2] CookieCheck Dataset. https://scans.io/study/polito-har-crawl.

  • [3] CookieCheck online tool. http://cookiecheck.polito.it/.

  • [4] CookieChecker Code Repository. https://github.com/CookieChecker/CookieCheckSourceCode.

  • [5] HttpArchive. https://httparchive.org/.

  • [6] HttpArchive dataset. https://console.cloud.google.com/storage/browser/httparchive.

  • [7] Similarweb. https://www.similarweb.com/.

  • [8] Webpagetest. https://www.webpagetest.org/.

  • [9] Communication from the Commission to the European Parliament the Council the European Economic and Social Committee and the Committee of the Regions A Digital Single Market Strategy for Europe COM(2015) 192 final) 2015.

  • [10] Acar G. Eubank C. Englehardt S. Juarez M. Narayanan A. and Diaz C. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (New York NY USA 2014) CCS ’14 ACM pp. 674–689.

  • [11] Art. 29 Data Protection Working Party. Opinion 15/2011 on the definition of consent 2011. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf.

  • [12] Art. 29 Data Protection Working Party. Opinion 04/2012. on Cookie Consent Exemption 2012. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf.

  • [13] Art. 29 Data Protection Working Party. Working Document 02/2013 providing guidance on obtaining consent for cookies 2013. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf.

  • [14] Art. 29 Data Protection Working Party. Opinion 03/2016 on the Evaluation and Review of the ePrivacy Directive (2002/58/EC) 2016. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp240_en.pdf.

  • [15] Barford P. Canadi I. Krushevskaja D. Ma Q. and Muthukrishnan S. Adscape: Harvesting and analyzing online display ads. In Proceedings of the 23rd International Conference on World Wide Web (New York NY USA 2014) WWW ’14 ACM pp. 597–608.

  • [16] Barth A. HTTP State Management Mechanism. RFC 6265 Apr. 2011.

  • [17] Borghi M. Ferretti F. and Karapapa S. Online data processing consent under EU law: a theoretical framework and empirical evidence from the UK. International Journal of Law and Information Technology 21 2 (2013) 109–153.

  • [18] Carpineto C. Lo Re D. and Romano G. Automatic assessment of website compliance to the european cookie law with coolcheck. In Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society (New York NY USA 2016) WPES ’16 ACM pp. 135–138.

  • [19] Castelluccia C. Kaafar M.-A. and Tran M.-D. Betrayed by your ads# In Privacy Enhancing Technologies (Berlin Heidelberg 2012) S. Fischer-Hübner and M. Wright Eds. Springer Berlin Heidelberg pp. 1–17.

  • [20] Cofone I. N. The way the cookie crumbles: online tracking meets behavioural economics. International Journal of Law and Information Technology 25 1 (2017) 38–62.

  • [21] Council of European Union. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications) 2002. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058.

  • [22] Council of European Union. Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws 2009. http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32009L0136.

  • [23] Council of European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) 2016.

  • [24] Council of the European Union. Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) 2018. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_12336_2018_INIT&from=EN.

  • [25] Council of the European Union. Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)- Examination of the Presidency text Document nr. ST 10975 2018 INIT 2018. https://www.consilium.europa.eu/register/en/content/out?&typ=ENTRY&i=ADV&DOC_ID=ST-10975-2018-INIT.

  • [26] Deloitte. Evaluation and review of Directive 2002/58 on privacy and the electronic communication sector 2016. https://ec.europa.eu/digital-singlemarket/en/news/evaluation-and-review-directive-200258-privacy-and-electronic-communication-sector.

  • [27] Disconnect. https://disconnect.me.

  • [28] Eckersley P. How unique is your web browser? In Privacy Enhancing Technologies (2010) vol. 6205 Springer pp. 1–18.

  • [29] Englehardt S. Han J. and Narayanan A. I never signed up for this# privacy implications of email tracking. Proceedings on Privacy Enhancing Technologies 2018 1 (2018) 109 – 126.

  • [30] Englehardt S. and Narayanan A. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (New York NY USA 2016) CCS ’16 ACM pp. 1388–1401.

  • [31] Englehardt S. Reisman D. Eubank C. Zimmerman P. Mayer J. Narayanan A. and Felten E. W. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web (Republic and Canton of Geneva Switzerland 2015) WWW ’15 International WWW Conferences Steering Committee pp. 289–299.

  • [32] European Commission. Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in Electronic Communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communcations) COM(2017) 10 final. 2017. https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications.

  • [33] European Data Protection Supervisor. Opinion 5/2016. Preliminary EPDS Opinion on the review of the ePrivacy Directive (2002/58/EC) 2016. https://edps.europa.eu/data-protection/our-work/publications/opinions/eprivacy_en.pdf.

  • [34] European Data Protection Supervisor. EPDS recommendations on specific aspects of the proposed ePrivacy Regulation 2017. https://edps.europa.eu/sites/edp/files/publication/17-10-05_edps_recommendations_on_ep_amendments_en.pdf.

  • [35] European Data Protection Supervisor. Opinion 6/2017. EPDS Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation) 2017. https://edps.europa.eu/sites/edp/files/publication/17-04-24_eprivacy_en.pdf.

  • [36] European Data Protection Supervisor. Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications 25 May 2018. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_on_eprivacy_en.pdf.

  • [37] European Parliament. Report on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) 2018. http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN.

  • [38] European Parliament EPRS. Reform of the e-Privacy Directive Briefing legislation in progress 2017. https://www.europarl.europa.eu/RegData/etudes/BRIE/2017/608661/EPRS_BRI(2017)608661_EN.pdf.

  • [39] Garante per la Protezione dei Dati Personali. Informativa e Consenso per l’uso dei Cookie 2014. http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3585077.

  • [40] Garante per la Protezione dei Dati Personali. Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies 2014. http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3167654.

  • [41] Ghostery. https://www.ghostery.com.

  • [42] Gonzalez R. Jiang L. Ahmed M. Marciel M. Cuevas R. Metwalley H. and Niccolini S. The cookie recipe: Untangling the use of cookies in the wild. In 2017 Network Traffic Measurement and Analysis Conference (TMA) (June 2017) pp. 1–9.

  • [43] Hoofnagle C. Urban J. and Li S. Privacy and modern advertising. In Proceedings of Amsterdam Privacy Conference (2012).

  • [44] Interactive Advertising Bureau. Europe’s cookie laws: e-Privacy Directive Implementation Center. https://www.iabeurope.eu/eucookielaws/.

  • [45] Koops B.-J. The trouble with european data protection law. International Data Privacy Law 4 4 (2014) 250–261.

  • [46] Leenes R. and Kosta E. Taming the cookie monster with dutch law–a tale of regulatory failure. Computer Law & Security Review 31 3 (2015) 317–335.

  • [47] Leenes R. van Lieshout M. and Hoepman J.-H. The Cookiewars: From regulatory failure to user empowerment? M. van Lieshout & J-H. Hoepman (Eds.) The Privacy & Identity Lab: 4 years later (2015) 31–49.

  • [48] Legislative Train Schedule. Connected digital single market. Proposal for a regulation on privacy and electronic communications 2017. https://www.europarl.europa.eu/legislative-train/theme-connected-digital-single-market/file-e-privacy-reform.

  • [49] Li T.-C. Hang H. Faloutsos M. and Efstathopoulos P. TrackAdvisor: Taking Back Browsing Privacy from Third-Party Trackers. Springer International Publishing Cham 2015 pp. 277–289.

  • [50] Marciel M. Cuevas R. Banchs A. González R. Traverso S. Ahmed M. and Azcorra A. Understanding the detection of view fraud in video content portals. In Proceedings of the 25th International Conference on World Wide Web (Republic and Canton of Geneva Switzerland 2016) WWW ’16 International World Wide Web Conferences Steering Committee pp. 357–368.

  • [51] Markou C. Behavioural Advertising and the New “EU Cookie Law” as a Victim of Business Resistance and a Lack of Official Determination. Data Protection on the Move: Current Developments in ICT and Privacy/Data Protection (2016) 213–247.

  • [52] Pratical Law. Data protection global guide. https://uk.practicallaw.thomsonreuters.com/Browse/Home/International/DataProtectionGlobalGuide.

  • [53] REFIT Platform. REFIT Platform Opinion on the submission by the Danish Business Forum on the E Privacy Directive and the current rules related to “cookies” 2016. http://ec.europa.eu/info/sites/info/files/opinion_comm_net.pdf.

  • [54] Roesner F. Kohno T. and Wetherall D. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation (Berkeley CA USA 2012) NSDI’12 USENIX Association pp. 12–12.

  • [55] Software is hard. Har 1.2 spec. http://www.softwareishard.com/blog/har-12-spec.

  • [56] The International Association of Privacy Professionals. EU law on cookies. https://iapp.org/media/pdf/resource_center/DLA_EU_cookie_implementation_9-14.pdf.

  • [57] Time. lex and Spark. ePrivacy Directive: assessment of transposition effectiveness and compatibility with proposed Data Protection Regulation 2013. https://ec.europa.eu/digital-singlemarket/en/news/eprivacy-directive-assessment-transpositioneffectiveness-and-compatibility-proposed-data.

  • [58] Traverso S. Trevisan M. Giannantoni L. Mellia M. and Metwalley H. Benchmark and comparison of tracker-blockers: Should you trust them? In 2017 Network Traffic Measurement and Analysis Conference (TMA) (June 2017) pp. 1–9.

  • [59] Turow J. King J. Hoofnagle C. J. Bleakley A. and Hennessy M. Americans reject tailored advertising and three activities that enable it. Available at SSRN 1478214.

  • [60] Yen T.-F. Xie Y. Yu F. Yu R. P. and Abadi M. Host Fingerprinting and Tracking on the Web: Privacy and Security Implications. In Proceedings of the 2012 Network and Distributed System Security Symposium (2012).

Search
Journal information
Cited By
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 317 317 38
PDF Downloads 273 273 37