Europe's new privacy law causes influx of cookie notices, many of which likely fall short legally
Although it may be a U.S.-based company doing the asking, the increased disclosure is most likely the result of a new law in Europe: the General Data Protection Regulation.
Researchers from the University of Michigan School of Information and Ruhr-Universität Bochum who studied the impact of the European General Data Protection Regulation—in effect since May 25—have seen use of these cookie notices skyrocket in 28 European Union member states.
They say that many of these notices, however, likely don't meet legal requirements.
They also note that while some companies aren't discriminating with regard to location of customers who receive the notices, some global enterprises are targeting these privacy notices specifically at the EU states where the new law is in place.
"For instance, WashingtonPost.com created a special 'tracking-free' subscription to European readers that you don't see when visiting from the United States, and companies like Netflix let European users personalize their cookie preferences so they can disable targeted ads—an option not available in the U.S.," said Florian Schaub, U-M assistant professor of information and of electrical engineering and computer science. "But if you go to Forbes.com you'll be treated the same, regardless of where you are signing in from.
"The bottom line is that without regulation companies in the United States are not likely to give more privacy choice to customers, so many will find ways to adapt their sites to comply where they must but continue to operate business as usual elsewhere."
Schaub and a team from the Ruhr-Universität Bochum analyzed how the changes required by the GDPR have been implemented by various enterprises. They examined the privacy policies of the 500 most frequented websites in each of the 27 EU member countries—6,357 web pages in total—between January and June 2018. They also looked at 450 of the top 500 most visited websites in the United States.
The researchers collected the privacy policies and cookie notices of those websites and analyzed which changes were made over time.
In many EU states, the presence of privacy policies was low—between 60 and 70 percent—prior to the law. In some countries, that rose by as much as 15 percent under the new regulations. However, approximately 74 percent of the websites did not have their respective privacy policies amended until shortly before May 25.
After the GDPR came into force, about 62 percent of the websites provided cookie notices—16 percent more than in January 2018. Accordingly, cookie notices have been the crucial element that has been on an increase in connection with the implementation of the GDPR. But, the researchers say that many of the cookie notices they found likely do not meet the GDPR's legal requirements, because they do not offer users the option to deactivate cookies.
Other authors were Christine Utz, Christopher Lentzsch, Henry Hosseini and Thorsten Holz of Ruhr-Universität Bochum.