EU Cookie Law Is A Flop
Written by Mike James   
Tuesday, 30 May 2017

If you are fed up with repeated requests to store a cookie, or if you feel that all sites should show the request, you might be interested to know that the whole EU Cookie Law is pretty much a flop.



The EU Cookie law is interesting because it is an example of trying to control the World Wide Web and the emphasis here is on "worldwide". In 2002, the European Union (EU) introduced the ePrivacy Directive to regulate the usage of online tracking technologies. From 2013 the Directive is mandatory, and now most of European websites embed a “Cookie Bar” to explicitly ask users' consent. It is one of the most strict regulations on the usage of online tracking mechanisms. Article 5 requires websites to ask:

“prior informed consent for storage or for access to information stored on a user’s terminal equipment”. 

Now a team of appropriately European researchers Martino Trevisan, Stefano Traverso, Hassan Metwalley and Marco Mellia of the Politecnico di Torino  and Ermes Cyber Security SRL have conducted an online survey to find out how much impact the law has had. 

"The Directive has been criticized as a case of regulatory failure: it impairs user browsing experience, and it is ineffective in increasing the awareness about online tracking. Here, we show that the Directive is a failure from the enforcement perspective too."

It is also interesting to note that the directive doesn't just ban cookies:

The Directive has been amended in 2002 and 2009. In the last version, it explicitly disciplines the use of any tracking “devices” (e.g., cookies, supercookies, fingerprinting, etc.), and it is based on the “explicit consent” principle. It states that the website must i) provide a clear description of the entities wishing to install tracking devices, ii) install them only after explicit consent is provided by the user, and iii) describe how the gathered information will be used.

However non-tracking cookies aren't banned. Session cookies for example are perfectly OK.




To find out how cookies were being used in practice, the team built a tool - CookieCheck. They then picked websites that were popular in EU countries and four countries not in the EU. A country by category table was constructed showing the percentage of sites that serve tracking cookies without asking. The details are interesting but the overall conclusion is:

First, we notice that there exists no category whose fraction is close to 0. On average 66% of websites violates the ePrivacy Directive.

The category that was best isn't a surprise - Law and Government at 31%. The big surprise is that "Adult" web sites came in second. The only win for the directive is that, when compared to countries outside of the EU, the tracking cookie percentage was lower. The US and Russia, for example, scored 75% and 86%. So a small, but not very significant, reduction is due to the directive. 

Looking more closely at the behaviour of web sites makes the position worse. For example, in France and Italy 69 and 53 out of 100 web sites respectively provided a Cookie bar. Of the sites that did provide a Cookie bar most 80.5% installed tracking cookies before consent had been given and installed more if consent was given. 

Yes, you are correct all along, your answer to the cookie question is mostly irrelevant. The conclusion is:

"Despite being conservative, our results clearly uncover that the majority of websites ignores the ePrivacy Directive, testifying its flop."

The researchers offer five reasons why the directive was a flop, but they mostly boil down to politicians and law makers not understanding the technology that they are aiming to control. They provided no guidelines or tools for auditing web sites to see if they are breaking the directive. In particular no help was given with the difficult task of working out if the Cookie bar is just a decoration or a real way to block tracking cookies. There was also no consideration of how easy it is for small web sites to control tracking cookies and still accept advertising and analytics services. 

Even the EU agency in charge of verifying the effectiveness of directive concludes:

“the constant stream of cookie pop-upboxes that users are faced with completely eclipses the general goal of privacy protection as the result is that users blindly accept cookies”

Currently the EU is drafting a replacement law, but it seems to be even more flawed and ambiguous than the original. 


More Information

Uncovering the Flop of the EU Cookie Law

Related Articles

When cookies leak data

Evercookie - the cookie you can't kill

High-Tech, Cross-Browser Fingerprinting

SilentKeys A Privacy Aware Keyboard

The Canvas Fingerprint - How?

Cat Photos - A Potential Security Risk?


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



Look Once to Hear - A Spy's Dream Come True

Deep learning has triumphed again. You can don a pair of headphones, look at a person talking and from then on the system will track the person so you can hear them as they move away or become swamped [ ... ]

Does AI Copy Code - Lawsuit Says No

Are we worried about AI code assistants? Well some of us were worried and offended enough to take GitHub/ Microsoft and Open AI to court over code copying by GitHub Copilot. But the judge came down on [ ... ]

More News


kotlin book



or email your comment to:


Last Updated ( Tuesday, 30 May 2017 )