The Article 29 Working Party (“WP29”), supported by data protection authorities and other national regulators, recently undertook an EU-wide ‘cookie sweep’. This review concerned nearly 500 websites and spanned 8 Member States. It was aimed at investigating the use of cookies, the level of information provided and the control mechanisms in place.  This ‘sweep’ found a spectrum of compliance, resulting in some interesting statistics.  While Ireland was not on the list, the review serves as a reminder of the focus by EU regulators on cookie compliance and provides an insight into the views of both national regulators and the WP29.

In Europe, Article 5(3) of the ePrivacy Directive 2002 (as amended) governs the use of cookies and similar technologies. The Article provides for both notice and consent requirements when such technologies are used on websites. The ‘cookie sweep’ sought to identify the methods used for compliance with these rules. The sites targeted were those perceived by the WP29 as posing the greatest data protection and privacy risks to EU citizens – media, e-commerce and public sector websites.

The sweep provided a number of very interesting statistics around the use and types of cookies across the surveyed sites. In particular, some of the information discovered related to the use of third party cookies, i.e. those not directly set by the website owner (for example Google Analytics cookies). Similarly, the sweep looked at session and persistent cookies, the latter being those that do not expire on closing the website. The following statistics were reported by WP29:

  • sites had on average 35 cookies;
  • over 70% of cookies were third party cookies;
  • media websites had the highest use of third party cookies;
  • more than 85% of the average website’s cookies were persistent cookies;
  • 22 sites set more than 100 cookies each;
  • one Danish media site set 12 first party and 247 third party cookies;
  • a number of cookies had expiry dates running to nearly 8000 years; and
  • 7 sites did not set any cookies.

Third party cookies were most commonly found on media websites. The most prevalent business activity of the owners of these cookies was third party advertising. Doubleclick.net (Google’s online advertising arm) was the most common third party cookie, appearing across almost half the sites reviewed and setting 247 cookies. This demonstrates both the prevalence and importance of cookie technology for the advertising industry.

In terms of EU compliance, the WP29 reported that almost a quarter of sites had no cookie notification. However, in the UK only 6% had no such notification.  Banners were the most common method of notification – either permanent, temporary or timed. Interestingly, the WP29 noted that a website that didn’t offer full range of control mechanisms would not immediately be deemed non-complaint with the rules.

The WP29 reported that users who had set their browser not to accept cookies would not have received over 70% of cookies encountered. In terms of appropriate durations for a persistent cookie, the WP29 stated that a period of 1-2 years is a good starting point for discussion and consideration for an acceptable maximum duration, although the purpose would have to be taken into account.

The WP29 stated, when concluding, that this sweep was not intended as a strict assessment of cookie compliance. However, the report does provide interesting insights into the areas considered and focal points of the review. The final report gives some suggestion that browser settings may, in at least some instances, assist in indicating a user’s consent. Website owners should be mindful of the cookies set on their site and the extent of compliance with notification and consent rules. In particular, it is important to be cognisant of cookies set by third parties and, to the greatest extent possible, to call these out in a separate cookie policy, along with the types and purposes of first party cookies set.