By Patrick Van Eecke and Julie De Bruyn

Article 29 Working Party, the European data protection advisory body, has published its report on the ‘cookie sweep’ that was carried out in September last year in partnership with data protection authorities and other regulators across 8 Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the UK).

The cookie sweep covered 478 websites in the e-commerce, media and public sectors, which are considered by the Article 29 Working Group to present the greatest data protection and privacy risks to EU citizens. The specific websites targeted by the sweep were amongst the 250 most frequently visited websites by individuals within each participating Member State.

The sweep was carried out to assess the current steps taken by website operators to comply with the requirements set forth by Article 5 (3) of the ePrivacy Directive 2002/58/EC (notably the information and consent requirements) and to inform the Article 29 Working Party of the current usage of cookies. In a first stage, the cookies used by the websites and their technical properties were put through a statistical review, while in a second stage a more thorough manual review of the cookie information and consent mechanisms was carried out.

Key findings of the automated, statistical review (478 websites reviewed by 8 Member States) are that:

  • 16.555 (both first and third party) cookies were set by 478 websites, resulting in an average of 34.6 cookies per website;
  • over 70% of the cookies are third party cookies, notably cookies that are set by a domain other than that of the website visited by the user);
  • over 86% of the cookies are persistent cookies, notably cookies that remain on a user’s device for the period of time specified in the cookie, rather than being deleted once the browser is closed by the user. The average duration of the first party persistent cookies was 14,34 years and 1,77 years for third party persistent cookies;

Key findings of the manual sweep (437 websites inspected by 7 Member States) are that:

  • only 7 websites did not set any cookies;
  • the most common notification method is to use some sort of cookie banner (59%) or a link in the header or footer (39%), or both;
  • 26% of the websites did not show any notification of any kind on the landing page visited during the sweep. The vast majority of these websites were swept by the Czech Republic;
  • of the websites that did provide some sort of notification, 43% of them were considered not to provide sufficient information regarding the types or purposes of cookies used;
  • 50% of the websites inspected request consent from the user to store cookies; the remaining 50% use language such as ‘we use cookies’, ‘cookies are being set’, or similar;
  • Only 16% of the websites inspected provided the user a granular level of control by offering the choice to accept or decline certain types of cookies. For 84% of the inspected websites, the user is required to review his browser settings to control the use of cookies;
  • If a user had set its browser settings to not accept third party cookies and visited the same websites, 70% of the cookies recorded would not have been set;
  • Of the 3 sectors in the scope of the sweep, websites of the media sector set on average the highest number of cookies, public sector sites set the fewest cookies.

The full report (including more statistics and diagrams) can be consulted here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp229_en.pdf

The Article 29 Working Party’s working document providing guidance on obtaining consent for cookies can be consulted here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf The Article 29 Working Party’s Opinion on Cookie Consent Exemption can be consulted here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

For further information, please contact Patrick Van Eecke (patrick.vaneecke@dlapiper.com) or Julie De Bruyn (julie.debruyn@dlapiper.com).