Skip to main content
 
Project
SPAI
Safeguard of Privacy in Internet Applications
Completed
Client
Ministry of Economic Development
Partner
University of Rome "La Sapienza"
ISCOM
Italian Data Protection Authority
Goals

To develop a methodology, implemented in an Internet application, for automatic assessment of Website compliance to the Cookie Law. To evaluate the compliance of both commercial and Public Administration websites.

Impact

The evaluation tool is currently used by the Italian Data Protection Authority as a support for finding possible infringements of law and for monitoring the compliance of websites to the Cookie Law over time. An experimental evaluation  conducted at the end of 2015 has shown a number of interesting findings summarised below.

Description

The  Cookie Law is intended to protect the users privacy by requiring that any website should inform its visitors of what type of information is being gathered.  In particular, the user must be asked for a consent to use the tracking cookies installed by the website. The tool developed by the project is able to automatically detect whether a website installs tracking cookies and whether it asks for the user consent. The methodology is based on cookie disclosure and classification together with identification of natural language consent requests by web information retrieval techniques. The system has been implemented as a web application, available at http://spai.fub.it, with a password-protected access. An experimental evaluation (as of December 2015) was carried out using the Alexa list of the 500 most popular websites in Italy as well the 23000  Italian Public Administration websites. The main findings were the following:

  1. at least 20% of  the 500 most popular websites were not compliant to the law, because they installed tracking cookies without displaying the notice & consent banner;
  2. about 2000 out of the 23000  Italian Public Administration websites installed tracking cookies, with 60% of these not asking for consent;
  3. more than 7000 Public Administration websites did not contain a privacy policy statement, which is an independent requirement.
Competenze