4 Years of EU Cookie Law: Results and Lessons Learned

Abstract Personalized advertisement has changed the web. It lets websites monetize the content they offer. The downside is the continuous collection of personal information with significant threats to personal privacy. In 2002, the European Union (EU) introduced a first set of regulations on the use of online tracking technologies. It aimed, among other things, to make online tracking mechanisms explicit to increase privacy awareness among users. Amended in 2009, the EU Directive mandates websites to ask for informed consent before using any kind of profiling technology, e.g., cookies. Since 2013, the ePrivacy Directive became mandatory, and each EU Member State transposed it in national legislation. Since then, most of European websites embed a “Cookie Bar”, the most visible effect of the regulation. In this paper, we run a large-scale measurement campaign to check the current implementation status of the EU cookie directive. For this, we use CookieCheck, a simple tool to automatically verify legislation violations. Results depict a shady picture: 49 % of websites do not respect the Directive and install profiling cookies before any user’s consent is given. Beside presenting a detailed picture, this paper casts lights on the difficulty of legislator attempts to regulate the troubled marriage between ad-supported web services and their users. In this picture, online privacy seems to be continuously at stake, and it is hard to reach transparency.

[1]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[2]  Jennifer M. Urban,et al.  Privacy and Modern Advertising: Most US Internet Users Want 'Do Not Track' to Stop Collection of Data about their Online Activities , 2012 .

[3]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[4]  Eleni Kosta,et al.  Taming the cookie monster with Dutch law - A tale of regulatory failure , 2015, Comput. Law Secur. Rev..

[5]  Claude Castelluccia,et al.  Betrayed by Your Ads! - Reconstructing User Profiles from Targeted Ads , 2012, Privacy Enhancing Technologies.

[6]  J. Turow,et al.  Americans Reject Tailored Advertising and Three Activities that Enable It , 2009 .

[7]  Martino Trevisan,et al.  Benchmark and comparison of tracker-blockers: Should you trust them? , 2017, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[8]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[9]  Ronald Leenes The Cookiewars : From regulatory failure to user empowerment? , 2015 .

[10]  Rossella Bottoni,et al.  Garante per la protezione dei dati personali. Relazione 2004 L'attuazione del Codice nel quadro della Costituzione per l'Europa, 9 febbraio 2005 (estratto) , 2005 .

[11]  Arvind Narayanan,et al.  I never signed up for this! Privacy implications of email tracking , 2018, Proc. Priv. Enhancing Technol..

[12]  C. Markou Behavioural Advertising and the New ‘EU Cookie Law’ as a Victim of Business Resistance and a Lack of Official Determination , 2016 .

[13]  Ignacio Cofone The way the cookie crumbles: online tracking meets behavioural economics , 2017, Int. J. Law Inf. Technol..

[14]  Martín Abadi,et al.  Host Fingerprinting and Tracking on the Web: Privacy and Security Implications , 2012, NDSS.

[15]  Michalis Faloutsos,et al.  TrackAdvisor: Taking Back Browsing Privacy from Third-Party Trackers , 2015, PAM.

[16]  Arturo Azcorra,et al.  Understanding the Detection of View Fraud in Video Content Portals , 2016, WWW.

[17]  Andrej Savin Country Report Denmark: ePrivacy Directive: Assessment of Transposition, Effectiveness and Compatibility with Proposed Data Protection Regulation , 2015 .

[18]  Lili Jiang,et al.  The cookie recipe: Untangling the use of cookies in the wild , 2017, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[19]  Serge Gutwirth,et al.  Data Protection on the Move: Current Developments in ICT and Privacy/Data Protection , 2016 .

[20]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[21]  Bert-Jaap Koops,et al.  The trouble with European data protection law , 2014 .

[22]  Edward W. Felten,et al.  Cookies That Give You Away: The Surveillance Implications of Web Tracking , 2015, WWW.

[23]  Claudio Carpineto,et al.  Automatic Assessment of Website Compliance to the European Cookie Law with CooLCheck , 2016, WPES@CCS.

[24]  Maurizio Borghi,et al.  Online data processing consent under EU law: a theoretical framework and empirical evidence from the UK , 2013, Int. J. Law Inf. Technol..

[25]  Eleni Kosta,et al.  ePrivacy Directive : Assessment of transposition, effectiveness and compatibility with the proposed Data Protections Regulation , 2015 .

[26]  Qiang Ma,et al.  Adscape: harvesting and analyzing online display ads , 2014, WWW.

[27]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.