On Compliance of Cookie Purposes with the Purpose Specification Principle

The enforcement of the General Data Protection Regulation and the ePrivacy Directive relies upon auditing legal compliance of websites. Data controllers, as part of their accountability and transparency obligations, need to declare the purposes of cookies that they use in their websites. This leads to relevant questions such as: How should purposes be described according to the purpose specification principle? And how to ensure a scalable auditing, enabled by automated means, for legal compliance of cookie purposes?In this paper, we investigate the legal compliance of purposes for 20,218 third-party cookies. Surprisingly, only 12.85% of third-party cookies have a corresponding cookie policy where a cookie is even mentioned. Overall, we find out that purposes declared in cookie policies do not comply with the purpose specification principle in 95% of cases in our automatized audit. Finally, we provide recommendations on standardized specification of purposes following the recent draft recommendation of the French Data Protection Authority (CNIL) on cookies.