Uncovering the Flop of the EU Cookie Law


In 2002, the European Union (EU) introduced the ePrivacy Directive to regulate the usage of online tracking technologies. Its aim is to make tracking mechanisms explicit while increasing privacy awareness in users. It mandates websites to ask for explicit consent before using any kind of profiling methodology, e.g., cookies. Starting from 2013 the Directive is mandatory, and now most of European websites embed a "Cookie Bar" to explicitly ask user's consent. To the best of our knowledge, no study focused in checking whether a website respects the Directive. For this, we engineer CookieCheck, a simple tool that makes this check automatic. We use it to run a measure- ment campaign on more than 35,000 websites. Results depict a dramatic picture: 65% of websites do not respect the Directive and install tracking cookies before the user is even offered the accept button. In few words, we testify the failure of the ePrivacy Directive. Among motivations, we identify the absence of rules enabling systematic auditing procedures, the lack of tools to verify its implementation by the deputed agencies, and the technical difficulties of webmasters in implementing it.
Submitted 24 May 2017 to Computers and Society [cs.CY]
Published 25 May 2017