This week, European authorities will be conducting a "cookie sweep" consisting of random checks of websites to ensure that they are complying with European Union (EU) "cookie" laws.
During the "cookie days," the European DPAs are likely to focus their investigation on:
- the types of cookies that are being placed, their duration, and their purpose (e.g., are they to assist the functioning of the website or are they for web tracking or targeted advertising?)
- whether the operator knows and understands all of the cookies placed on its website - including those placed by third parties
- consent, including whether the website obtains consent for using cookies, the nature of such consent mechanisms (implied versus explicit consent), and the ability of consumers to withdraw consent
- the information that is provided to users of the website about the use and type of cookies, the duration of the cookies, and any consequences of a user's refusal to allow cookies to be installed on its device
The result of the sweeps is likely to be the issuance of enforcement letters from the DPAs directing compliance, followed by the assessment of stiff penalties on companies that fail to comply.
Given the recent fines levied for violations in Spain and the Netherlands, companies have been keen to better understand their obligations under EU privacy laws so they can avoid similar sanctions.
In the coming months, companies should also expect further EU audits of how data from websites is collected, stored, and shared. In the meantime, the cookie sweep provides an immediate impetus to companies to assess whether their websites comport with European laws - as well as with those of any other country in which the company operates - and take any corrective measures necessary to ensure compliance.