On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.
The target websites were selected because the Working Party viewed them as presenting the greatest data protection and privacy risks to EU citizens. The target sectors chosen were media, e-commerce and the public sector, and the target websites were chosen among the 250 most frequently visited websites based on the Alexa ranking within each EU Member State participating in the sweep. The methodology of the cookie sweep consisted of two stages. The first stage included a statistical review of cookies used by websites and their technical properties. The second stage included a more detailed manual review of cookie information and consent mechanisms.
The report stated that target websites in Slovenia set fewer cookies across all target sectors. At the same time, media sites in Denmark, France and the UK set a higher number of cookies as compared to sites in the media sector in other participating EU Member States. In addition, target websites in Slovenia and Greece showed a higher proportion of first-party cookies compared to websites in other participating EU Member States. With respect to public sector websites, the report revealed that, on average, public sector websites use the fewest number of cookies overall but the highest number of first-party cookies. According to the report, media sites use, on average, the highest number of cookies. Media sites also used the most third-party cookies and used persistent cookies with the greatest frequency. The report noted, however, that some media sites (and e-commerce sites) did not use any third-party cookies.
On September 10, 2014, the Global Privacy Enforcement Network (“GPEN”) published the results of an enforcement sweep conducted in May 2014 to assess mobile app compliance with data protection laws. And on May 6, 2013, the GPEN announced its first “Internet Privacy Sweep,” in which 19 data protection authorities participated.