Earlier this month, the EU Working Party 29 published the results of a sweep conducted by 8 EU data protection authorities regarding the cookie use practices of approximately 500 sites.
The 2011 EU e-Privacy Directive requires sites to provide notice of and receive informed consent to the use of cookies and similar technologies, with limited exceptions for cookies that are “necessary” for site operations or that are used solely to transmit communications.
Although the sweep showed progress on cookie notice and consent practices pursuant to the Directive, the EU regulators concluded that sites still have a long way to go. The primary conclusions were that:
- Sites are using very high volumes of cookies, often placed by third parties;
- Cookie expiration dates are often excessive; and
- Sites have more work to do to provide sufficient cookie notice/consent options.
The sites included in the sweep have yet to be explicitly named, but they were selected as being amongst the 250 most frequently visited by EU citizens within each EU country taking part in the sweep (as determined by Alexa). The target sectors chosen for review were media, e-commerce, and public sector sites.
Some of the more interesting findings from the sweep were:
- More than 16,000 cookies were set across the sites, with media sites setting the highest average number (50);
- 70% of cookies were set by third parties and more than half were set by just 25 domains;
- The average cookie expiry date was between 1-2 years, although 374 had an expiry date of greater than 10 years, and 3 cookies had an expiry date of December 9999, nearly 8000 years in the future!;
- 26% of sites provided no notification that cookies were being used;
- Of sites that did provide notification, the regulators concluded that visibility could be improved in 39% of cases and half merely informed users that cookies were in use without requesting consent; and
- Only 16% of sites gave users a granular level of control to accept a subset of cookies with the majority relying on browser settings or a link to a third-party opt-out tool.
Although the sweep focused on HTTP cookies, the report reminded sites that other similar technologies (flash cookies, web beacons, and even device fingerprinting technologies) are also subject to the notice and consent requirements of the e-Privacy Directive.
The results of the sweep will be reviewed on a national level for potential enforcement action. The sweep shows that the EU is serious about its intention to monitor compliance with the e-Privacy Directive. Companies that interact with EU citizens should review the cookies on their sites and ensure that their notices are transparent and up-to-date, and that their consent mechanisms are effective and compliant.
Photo by Waag Society from Flickr