Working Party 29 releases results of EU cookies sweep
On February 3, 2015, the Article 29 Working Party ("WP 29") released a report (the "report") analysing the results of an EU cookies sweep, which was announced by the CNIL last July.
The sweep was conducted by several EU Data Protection Authorities ("DPAs") with the aim to informing the WP 29 on the current usage of cookies and likely state of compliance with Article 5(3) of the ePrivacy Directive across the EU in a range of specific sectors. The cookies sweep did not aim to assess the level of compliance with cookie rules, but rather to assess the extent of the use cookies, the level of information provided and to review the controller mechanisms in place on the websites that were visited.
Who conducted the cookies sweep?
The cookies sweep was conducted on 15 - 19 September 2014 by the DPAs and other national regulators who are competent for enforcing Article 5(3) of the ePrivacy Directive under national law in eight EU Member States: Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom.
What was the scope of the cookies sweep?
The cookies sweep focused essentially on three sectors, namely media, e-commerce and the public sector, which are perceived by the WP 29 as presenting the greatest data protection and privacy risks to EU citizens. The target websites were selected among the 250 most frequently visited sites by individuals within each Member State taking part in the sweep.
What are the results of the cookies sweep?
Essentially, the cookies sweep was conducted in two phases:
Phase 1 comprised a statistical review of cookies used by websites and their technical properties. Without going into the full details of the report, the following key points can be highlighted:
- a total of 478 sites were audited in eight Member States;
- a total of 16555 cookies were set on all 478 sites (on average: 34,6 cookies per site);
- 70% of the 16555 cookies recorded were third party cookies and 86,09% were persistent cookies;
- media sites set on average the highest number of cookies (e.g., 83,1% in the UK);
- media sites also contained the highest proportion of third party cookies (78,95%) and persistent cookies (89,61%) as compared with other sectors;
- the average duration of first-party persistent cookies is 14,34 years while the average duration of third party persistent cookies is 1,77 years;
- third party domains are mainly involved in the advertising business.
Phase 2 comprised of a more in-depth manual review of cookie information and consent mechanisms. The report indicates that the most common method used for notifying users is either the cookie banner (59%) or a link in the header or footer (39%), or both.
In 57% of the cases, it was considered that the site provided an appropriate level of information regarding the types of cookies used.
50% of the sites audited requested consent from the user to store cookies, whereas the remaining 50% used broader language such as "we use cookies" or "cookies are being set".
Finally, in a minority of cases (only 16%), users were offered a granular level of control of the types of cookies they accept or decline. In the majority of cases, the sites simply require the user to review their browser settings to control cookie usage.
What should organizations take away from this report?
From a legal perspective, it is interesting to note that the majority of the websites inform their users about the use of cookies but only half of them obtain consent from their users. Very few websites enable users to access and change their cookies settings via granular controls, while most of the websites simply refer to the user's Internet browser. And thus, this shows there is still room for improvement and creativity both in relation to consent mechanisms and user control of the data.
The report provides interesting facts and figures regarding the use of cookies in Europe, but unfortunately fails to deliver a comprehensive overview of the situation in Europe due to the limited scope of the cookies sweep. Indeed, geographically, the cookies sweep was carried out in a small number of EU Member States, and as a result, some key markets (such as Germany, Poland and Italy) are not mentioned in the report because the DPAs of those countries did not take part in the sweep.
The report also only focuses on three sectors (namely media, e-commerce and the public sector) without assessing the use of cookies in other important economic sectors (such as banking and finance, hotel and leisure or retail) which also rely heavily on the use of cookies to carry out their business.
But perhaps the biggest oversight of the report is its failure to acknowledge the growing technological trends of the market, such as device fingerprinting and cross-device targeting. The report focuses principally on the use of cookies on websites without analysing how cookies are used by mobile apps providers, which is currently the fastest growing market for advertisers. Therefore, while the report does provide a high-level overview of the use of cookies and the notice and consent mechanisms that are put in place by organizations, the report does not address some of the key technological issues or trends that are already re-modelling the advertising market, which inevitably will raise further questions for the EU legislator, businesses and privacy practitioners.
Therefore, although the report seems to indicate that most businesses have done their homework when it comes to the use of cookies on websites, the real challenge for companies in the months to come will be to comply with the law in a technologically diverse environment with ever more sophisticated technologies enabling them to track their users.