The Article 29 Working Party recently published its report on a ‘cookie sweep’ that was conducted last September in respect of 478 websites across 8 Member States (Czech Republic, Denmark, France, Greece, Netherlands, Slovenia, Spain and the UK).
The 478 websites targeted by the ‘cookie sweep’ operate in the e-commerce, media and public sectors. These sectors were targeted as the Article 29 Working Party believes they present the greatest data protection and privacy risks to EU citizens. The targeted websites were also selected from amongst the 250 most frequently visited websites by individuals in each participating Member State.
- 16,555 cookies were set across the 478 targeted websites, with an average of 34.6 cookies per site;
- over 70% of the cookies were third party cookies (ie cookies set by parties other than the target websites);
- over 86% of the cookies were persistent cookies (ie cookies that remain on the user’s equipment for the period of time specified in the cookie), with an average duration of between 1 to 2 years;
- 26% of targeted websites provided no notification of any kind on their landing page that cookies were being used;
- the most common cookie notification method was to use a type of banner (59% of targeted websites) or a link in the header or footer (39%), or both;
- of the three targeted sectors, the media sector set on average the highest number of cookies and the public sector set the fewest cookies.
Whilst the sweep did not involve any Irish websites, it does make clear that compliance with notification and consent requirements for cookie usage continues to be monitored across the EU. Frequently visited EU-based websites that are not currently complying with these requirements can reasonably expect to come under scrutiny at some point.
It is also interesting to note that the Article 29 Working Party made clear in its press release that the results of the sweep will be considered at a national level for potential enforcement action. This may act as a further incentive for websites across the EU to ensure compliance with their applicable notification and consent requirements for cookie usage.