On February 3, 2015, the Article 29 Working Party ("WP 29") released a report (the "report") analysing the results of an EU cookies sweep, which was announced by the CNIL last July.
Who conducted the cookies sweep?
The cookies sweep was conducted on 15 - 19 September 2014 by the DPAs and other national regulators who are competent for enforcing Article 5(3) of the ePrivacy Directive under national law in eight EU Member States: Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom.
What was the scope of the cookies sweep?
The cookies sweep focused essentially on three sectors, namely media, e-commerce and the public sector, which are perceived by the WP 29 as presenting the greatest data protection and privacy risks to EU citizens. The target websites were selected among the 250 most frequently visited sites by individuals within each Member State taking part in the sweep.
What are the results of the cookies sweep?
Essentially, the cookies sweep was conducted in two phases:
Phase 1 comprised a statistical review of cookies used by websites and their technical properties. Without going into the full details of the report, the following key points can be highlighted:
- a total of 478 sites were audited in eight Member States;
- a total of 16555 cookies were set on all 478 sites (on average: 34,6 cookies per site);
- 70% of the 16555 cookies recorded were third party cookies and 86,09% were persistent cookies;
- media sites set on average the highest number of cookies (e.g., 83,1% in the UK);
- media sites also contained the highest proportion of third party cookies (78,95%) and persistent cookies (89,61%) as compared with other sectors;
- the average duration of first-party persistent cookies is 14,34 years while the average duration of third party persistent cookies is 1,77 years;
- third party domains are mainly involved in the advertising business.
Phase 2 comprised of a more in-depth manual review of cookie information and consent mechanisms. The report indicates that the most common method used for notifying users is either the cookie banner (59%) or a link in the header or footer (39%), or both.
In 57% of the cases, it was considered that the site provided an appropriate level of information regarding the types of cookies used.
Finally, in a minority of cases (only 16%), users were offered a granular level of control of the types of cookies they accept or decline. In the majority of cases, the sites simply require the user to review their browser settings to control cookie usage.
What should organizations take away from this report?
Sign up to our email digest