This week, European authorities will be conducting a "cookie sweep" consisting of random checks of websites to ensure that they are complying with European Union (EU) "cookie" laws. 

While the cookie sweep was initiated by French authorities, it is not limited to companies operating in or interacting with consumers in France. Data Protection Authorities (DPAs) across the EU will conduct investigations of selected websites to verify compliance with the EU data protection laws regarding the use of cookies - text files stored on consumers' computers by websites that they visit to enable the website to recognize the user again. 

During the "cookie days," the European DPAs are likely to focus their investigation on:

  • the types of cookies that are being placed, their duration, and their purpose (e.g., are they to assist the functioning of the website or are they for web tracking or targeted advertising?)
  • whether the operator knows and understands all of the cookies placed on its website - including those placed by third parties
  • consent, including whether the website obtains consent for using cookies, the nature of such consent mechanisms (implied versus explicit consent), and the ability of consumers to withdraw consent
  • the information that is provided to users of the website about the use and type of cookies, the duration of the cookies, and any consequences of a user's refusal to allow cookies to be installed on its device

The result of the sweeps is likely to be the issuance of enforcement letters from the DPAs directing compliance, followed by the assessment of stiff penalties on companies that fail to comply. 

Companies serving the European market should take this opportunity to determine whether the use of cookies on their websites complies with the stringent EU requirements. Specifically, companies should evaluate how their sites use cookies, whether they provide clear and accurate cookie notices, and whether their sites collect valid consent from users before enabling cookies. Companies should also ensure that their privacy policies not only accurately reflect their actual processes and procedures with respect to collecting, storing, and using consumer data, but are compliant with both EU directives and local, country-specific data collection and protection laws. 

Given the recent fines levied for violations in Spain and the Netherlands, companies have been keen to better understand their obligations under EU privacy laws so they can avoid similar sanctions. 

In the coming months, companies should also expect further EU audits of how data from websites is collected, stored, and shared. In the meantime, the cookie sweep provides an immediate impetus to companies to assess whether their websites comport with European laws - as well as with those of any other country in which the company operates - and take any corrective measures necessary to ensure compliance.