Europe's new privacy law causes influx of cookie notices, many of which likely fall short legally

Chances are in the past few months you may have had a message or two pop up on a major website informing you of an update in their privacy policy or asking if you understand that the company is using cookies to collect data about you.

Although it may be a U.S.-based company doing the asking, the increased disclosure is most likely the result of a new law in Europe: the General Data Protection Regulation.

Researchers from the University of Michigan School of Information and Ruhr-Universität Bochum who studied the impact of the European General Data Protection Regulation—in effect since May 25—have seen use of these cookie notices skyrocket in 28 European Union member states.

They say that many of these notices, however, likely don't meet legal requirements.

They also note that while some companies aren't discriminating with regard to location of customers who receive the notices, some global enterprises are targeting these privacy notices specifically at the EU states where the new law is in place.

"For instance, WashingtonPost.com created a special 'tracking-free' subscription to European readers that you don't see when visiting from the United States, and companies like Netflix let European users personalize their cookie preferences so they can disable targeted ads—an option not available in the U.S.," said Florian Schaub, U-M assistant professor of information and of electrical engineering and computer science. "But if you go to Forbes.com you'll be treated the same, regardless of where you are signing in from.

"The bottom line is that without regulation companies in the United States are not likely to give more privacy choice to customers, so many will find ways to adapt their sites to comply where they must but continue to operate business as usual elsewhere."

Schaub and a team from the Ruhr-Universität Bochum analyzed how the changes required by the GDPR have been implemented by various enterprises. They examined the privacy policies of the 500 most frequented websites in each of the 27 EU member countries—6,357 web pages in total—between January and June 2018. They also looked at 450 of the top 500 most visited websites in the United States.

The researchers collected the privacy policies and cookie notices of those websites and analyzed which changes were made over time.

In many EU states, the presence of privacy policies was low—between 60 and 70 percent—prior to the law. In some countries, that rose by as much as 15 percent under the new regulations. However, approximately 74 percent of the websites did not have their respective privacy policies amended until shortly before May 25.

"The analysis has, moreover, shown that a certain percentage of web pages in some of the countries did not have a policy of that sort at all before the GDPR came into force," said Martin Degeling, first author of the study and a researcher at the Ruhr-Universität Bochum. "However by the deadline, approximately 85 percent of the websites we analyzed had a privacy policy in place."

Among the popular websites in the different European countries were many large U.S. websites. Of those, 96 percent had a privacy policy. This percentage remained unchanged during the study period, likely because those are largely multinational companies, such as Facebook and Google.

After the GDPR came into force, about 62 percent of the websites provided cookie notices—16 percent more than in January 2018. Accordingly, cookie notices have been the crucial element that has been on an increase in connection with the implementation of the GDPR. But, the researchers say that many of the cookie notices they found likely do not meet the GDPR's legal requirements, because they do not offer users the option to deactivate cookies.

Other authors were Christine Utz, Christopher Lentzsch, Henry Hosseini and Thorsten Holz of Ruhr-Universität Bochum.