There have been a lot of discussions about the results of the latest Cookie Sweep carried out in 8 EU member states (for more information see also the latest post of our Patrick van Eecke and Julie De Bruyn, and the Cookie Sweep Combined Analysis Report from the Article 29 Working Party – also “WP29? -).
The Italian Data Protection Authority (Garante per la protezione dei dati personali, “Italian DPA”) did not adhere to the Cookie Sweep (which involved Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the UK). This was probably due to the fact that the latest Italian DPA regulation on cookies allowed for some time to implement the new rules (deadline 3 June 2015, see here for more information), and most operators are still in the process of adapting to the new guidelines.
The Cookie Sweep Combined Analysis Report provides however some interesting food for thought also for those in the jurisdictions that were not primarily involved.
Besides the (very interesting) statistical results that you can find in the complete Cookie Sweep Combined Analysis Report, it is worth noting the uniform “two stage” methodology used for this WP29 Cookie Sweep initiative, combining an automated crawling with an in-depth manual review.
The first stage provided for an automated sweep which gathered information on the cookies used by websites and their technical properties. The crawling made use of a python script interfacing with Selenium python bindings, which was written by the UK’s ICO. As indicated in the Report, the script was run from a new installation of Ubuntu 12.04 LTS, using a new user profile with the default settings of the Firefox web browser for each URL visit. The cookies set on the first page visited (or redirected) were extracted and saved to a log file for analysis, and the curated list of URLs for the home page of the target sites was passed to the automated sweep script.
The second stage provided for a manual visit to the URL of the target site, reviewing the steps taken to inform that cookies can be placed in the users’ terminals and obtain the relevant consent, recording among other things (i) the notification mechanism, (ii) the visibility and quality of further cookies information provided, and (iii) the type of tool used to allow a user to express consent.
The WP29 also stated that in order to prevent potential duplications, “websites of organisations which were not firmly established within a member state taking part in the sweep were suggested to be excluded“, which de facto means that each local authority concentrated its efforts on the locally established operators, excluding other foreign operators whose web operations may however still be addressed also to that local jurisdiction. This was not an issue for the Cookie Sweep, as all authorities used the same same approach and methodology.
But this may well be a substantial issue for enforcement actions, where local authorities do not opt for the same approach and methodology. In such case, there would be a substantial risk that those operators established in more conservative jurisdictions end up being subject to a more invasive scrutiny and, more importantly, with difference consequences inferred from the information gathered, to the advantage of operators “firmly established” in other jurisdictions.
We do know not know whether the Italian DPA (or additional authorities form other jurisdictions) will adhere to future Cookie Sweeps (if any). Whilst a global DPA uniform regulations remains a chimera, it remains fundamental for Italian (and European) operators that at least in Europe any enforcement and investigation action will follow the same policies, including, for instance, the same approach and methodology on gathering evidence. More co-ordination is accordingly necessary throughout Europe.