The Article 29 Working Party (“WP29”), supported by data protection authorities and other national regulators, recently undertook an EU-wide ‘cookie sweep’. This review concerned nearly 500 websites and spanned 8 Member States.
The sweep provided a number of very interesting statistics around the use and types of cookies across the surveyed sites. In particular, some of the information discovered related to the use of third party cookies, i.e. those not directly set by the website owner (for example Google Analytics cookies). Similarly, the sweep looked at session and persistent cookies, the latter being those that do not expire on closing the website. The following statistics were reported by WP29:
- sites had on average 35 cookies;
- over 70% of cookies were third party cookies;
- media websites had the highest use of third party cookies;
- more than 85% of the average website’s cookies were persistent cookies;
- 22 sites set more than 100 cookies each;
- one Danish media site set 12 first party and 247 third party cookies;
- a number of cookies had expiry dates running to nearly 8000 years; and
- 7 sites did not set any cookies.
Third party cookies were most commonly found on media websites. The most prevalent business activity of the owners of these cookies was third party advertising. Doubleclick.net (Google’s online advertising arm) was the most common third party cookie, appearing across almost half the sites reviewed and setting 247 cookies. This demonstrates both the prevalence and importance of cookie technology for the advertising industry.
In terms of EU compliance, the WP29 reported that almost a quarter of sites had no cookie notification. However, in the UK only 6% had no such notification. Banners were the most common method of notification – either permanent, temporary or timed. Interestingly, the WP29 noted that a website that didn’t offer full range of control mechanisms would not immediately be deemed non-complaint with the rules.
The WP29 reported that users who had set their browser not to accept cookies would not have received over 70% of cookies encountered. In terms of appropriate durations for a persistent cookie, the WP29 stated that a period of 1-2 years is a good starting point for discussion and consideration for an acceptable maximum duration, although the purpose would have to be taken into account.
The contents of this publication are to assist access to information and do not constitute legal or other advice. © Copyright Mason Hayes & Curran 2015. All rights reserved. Mason Hayes & Curran is a member of the EACCNY.