The results of an international investigation into the cookie consent practices of 478 websites frequently visited by European citizens have now been published.  The outcome is perhaps unsurprising: cookies are used en masse by websites operating in Europe, their expiry dates are often excessive, and crucially, not enough is being done to provide notice and obtain valid consent for the use of cookies and other device identifying technologies.

The specific websites that were investigated are not identified (as yet), however those selected were amongst the 250 most frequently visited by individuals within each member state taking part in the investigation (as ranked by Alexa.com).  Sites in the media, e-commerce and public sectors were targeted in particular because they are perceived by the EU data protection regulators to present the greatest data protection and privacy risks to EU citizens.

The investigation was led by the UK’s Information Commissioner’s Office (‘ICO’) and involved an automated and manual examination of the sites in question by seven other privacy regulators from the Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia and Spain.

Key findings of the Investigation

It is clear that website operators (and mobile application providers by implication) still have more work to do in providing information and obtaining consent for the use of cookies.  In particular, the investigation found that:

  • 26% of sites provide no notification that cookies are being used.  Of those that do provide a notification, 50% merely inform users that cookies were in use without requesting consent.
  • Only 16% of the sites give users a granular level of control to make their cookie choices freely and refuse the use of cookies.   

Other key findings of the investigation include that:

  • High numbers of cookies are being placed by websites (more than 160,000 were set across the 478 sites investigated).  The average website places 34 cookies on a device during a visitor’s first visit.
  • 70% of the cookies set on the websites are third party cookies (i.e. set by websites other than the one being visit, for example those set for the purposes of targeted behavioural advertising).
  • The expiry dates for cookies are often excessive; the investigation detected some which will not expire until 31st December 9999 (nearly 8000 years in the future!).

This is not just about website cookies

It is important to remember that while the recent investigation focused primarily on the use of HTTP cookies, any device identifying technologies are equally subject to the notice and consent requirements (including device fingerprinting and local shared objects).  The notice and consent rules also apply to cookies and other device identifying technologies used on mobile applications (as well as websites) so the regulator’s findings are applicable to all providers of online services.

Time to enforce?

Will the report result in enforcement action against infringing online services?  Well, the Article 29 Working Party has put website operators on notice that the results of the sweep will be considered at a national level for potential enforcement action.  The ICO has already stated that it intends to write to those organisations who are still failing to provide basic information on their websites before considering whether further action is required. We also await further information from the other regulators involved in the review, including the Netherlands, France and Spain who have previously issued fines for websites who have failed to comply with the cookie consent requirements.

All websites and mobile application providers based in Europe or offering their services to European-based users should heed the results of this investigation as an urgent call to action.  In particular, this investigation demonstrates that the EU regulators have the technology to conduct automated sweeps of online services to see what cookies are set and they are not afraid to use it.