On 3 February, the Article 29 Data Protection Working Party published its ‘Cookie Sweep Combined Analysis – Report’. The sweep was undertaken by the WP29 in partnership with eight of the European data protection regulators, including the UK’s ICO, France’s CNIL and Spain’s AEPD, in order to assess the current steps taken by website operators to ensure compliance with Article 5(3) of Directive 2002/58/EC, as amended by 2009/136/EC. The Report details the results of their assessment of the extent of the use of cookies, the level of information provided, and a review of control mechanisms in place.

The Report examines 250 websites which were selected as among the most frequently visited by individuals within each member state taking part in the sweep. Media, e-commerce and the public sector were chosen as target sectors, which were those considered by the WP29 to present the ‘greatest data protection and privacy risks to EU citizens’.

Highlights of the assessment include:

  • High numbers of cookies are being placed by websites. Media websites place an average of 50 cookies during a visitor’s first visit.
  • Expiry dates of cookies are often excessive. Three cookies in the sweep had been set with the expiry date of 31 December 9999, nearly 8000 years in the future. Excluding cookies with a long duration, the average duration was between one and two years.
  • 26% of sites examined provide no notification that cookies are being used. Of those that did provide a notification, 50% merely inform users that cookies are in use without requesting consent.
  • 16% of sites give users a granular level of control to accept a subset of cookies, with the majority of sites relying on browser settings or a link to a third-party opt-out tool.

Since publishing the Report, the WP29 has made it clear in a Press Release that the results of the sweep “will be considered at a national level for potential enforcement action”. While the UK’s ICO has already stated that it intends to write to those organisations that are still failing to provide basic cookie information on their websites before considering whether further action is required, other European regulators have yet to comment on what actions they have planned.