Skip to Main content Skip to Navigation
Conference papers

On Compliance of Cookie Purposes with the Purpose Specification Principle

Imane Fouad 1 Cristiana Santos 2 Feras Al Kassar 3 Nataliia Bielova 1 Stefano Calzavara 4
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
2 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : The enforcement of the General Data Protection Regulation and the ePrivacy Directive relies upon auditing legal compliance of websites. Data controllers, as part of their accountability and transparency obligations, need to declare the purposes of cookies that they use in their websites. This leads to relevant questions such as: How should purposes be described according to the purpose specification principle? And how to ensure a scalable auditing, enabled by automated means, for legal compliance of cookie purposes? In this paper, we investigate the legal compliance of purposes for 20,218 third-party cookies. Surprisingly, only 12.85% of third-party cookies have a corresponding cookie policy where a cookie is even mentioned. Overall, we find out that purposes declared in cookie policies do not comply with the purpose specification principle in 95% of cases in our automatized audit. Finally, we provide recommendations on standardized specification of purposes following the recent draft recommendation of the French Data Protection Authority (CNIL) on cookies.
Document type :
Conference papers
Complete list of metadata

Cited literature [45 references]  Display  Hide  Download
Contributor : Imane Fouad Connect in order to contact the contributor
Submitted on : Thursday, May 7, 2020 - 3:45:49 PM
Last modification on : Friday, December 10, 2021 - 1:16:03 PM


Files produced by the author(s)


  • HAL Id : hal-02567022, version 1


Imane Fouad, Cristiana Santos, Feras Al Kassar, Nataliia Bielova, Stefano Calzavara. On Compliance of Cookie Purposes with the Purpose Specification Principle. IWPE 2020 - International Workshop on Privacy Engineering, Sep 2020, Genova, Italy. pp.1-8. ⟨hal-02567022⟩



Les métriques sont temporairement indisponibles