The Article 29 Data Protection Working Party has made what they call “sweep days” a custom. We’ve published blog posts about the earlier Internet Sweep Day and Mobile Apps Sweep Day and we’ve mentioned an ongoing cookie survey around August of 2014 while the French CNIL was starting to control cookie settings on websites.
Yesterday, on the 17th of February 2015, the WP29 has
published a statement [link no longer up] on the results of their cookie surveys.
Their main takeaway is that cookie information and disclosure has indeed improved, but at the same time cookies were still being set without consent.
The survey is the result of the work by 8 data protection agencies across Europe being,
- Czech Republic – Úřad pro ochranu osobních údajů,
- Denmark – Erhvervsstyrelsen,
- France – Commission nationale de l’informatique et des libertés,
- Greece – Hellenic Data Protection Authority,
- Netherlands – Authority for Consumers & Markets,
- Slovenia – Informacijski pooblaščenec Republike Slovenije,
- Spain – Agencia Española de Protección de Datos,
- United Kingdom – Information Commissioner’s Office.
Methodology of the cookie survey
The cookie sweep was done in two major stages. The first was a statistical review of cookies used by websites and their technical properties. The second was a more in-depth manual review of cookie information and consent mechanisms.
What are cookies anyways?
In the words of the press release published yesterday, cookies are “a small piece of information placed on a person’s computer when they visit a website. They can be used to remember the users’ preferences, record items placed in a shopping basket and carry out various other tasks based on how that person uses the site. Some cookies, known as third party cookies, can also be used for many purposes including to record information based on how the user is interacting with other websites.“
And whilst the sweep focused on the classical http cookies, there’s one thing to keep in mind (and it has also been pointed out in the press release itself), similar technologies such as the ones known under the term device fingerprinting, also fall under the cookie rules.
Target sectors were selected as those which were considered by the WP29 to present the greatest data protection and privacy risks to EU citizens. The target sectors chosen were media, e-commerce and the public sector.
Target web sites were selected as being amongst the 250 most frequently visited by individuals within each member state taking part in the sweep. In order to remove potential duplication of sweeping, websites of organisations which were not firmly established within a member state taking part in the sweep were suggested to be excluded.
Results of the cookie survey in detail
Considering that big sites have known about these rules for a while and that guidance by national data protection agencies AND the WP29 was out there, these results must be quite disappointing.
- More than 16000 cookies were set across the sites with those in the media setting the highest average number of cookies (50);
- 22 sites set more than double this average (>100 cookies) when a user visited their home page;
- 70% of the cookies encountered were set by third-parties and more than half of these cookies were set by just 25 domains;
- The average expiry of cookies was found to be between 1 and 2 years, 20% of cookies observed had an expiry date of between 2 and 5 years and 374 were observed with an expiry date of greater than 10 years. However, 3 cookies seen in the sweep had been set with the expiry date of 31 December 9999, nearly 8000 years in the future. Given that the duration can be intentionally renewed by the website operator on each visit it is the case that many of these cookies would survive the lifetime of the device;
- 26% of sites provided no notification that cookies were being used. Of those that did provide a notification, visibility could be improved in 39% of cases and half (50%) merely informed users that cookies were in use without requesting consent;
- Only 16% of sites gave users a granular level of control to accept a subset of cookies with the majority relying on browser settings or a link to a third-party opt-out tool;
- Seven sites set no cookies on the first page.
For further insights, it’s worth reading the guidance made public by the WP29:
- Document 02/2013 providing guidance on obtaining consent for cookies
- Opinion 04/2012 on cookie consent exemption
It’s worth noting that for valid content an operator needs it to “be specific, freely given and
Future for cookie notices?
If anything, this cookie survey shows that there is still work to be done. If the data protection agencies want to see the existing rules implemented, that is. And that is very likely what we are going to see down the road: more guidance, more actions by the national data protection agencies to push for better cookie practices.
Update: of all countries in the European Union, the situation must be the most confusing in Germany. Some parties think that the e-Privacy directive has been adopted into German law (into the TMG), others like the data protection officers disagree and published a statement on their own regarding the matter saying that work needs to be done to make corrections and properly introduce the e-Privacy rules regarding cookies.