knowledge 9 June 2015 |

Article 29 Working Party Publishes Report on Cookie Sweep

The sweep was conducted in partnership with the data protection authorities and other relevant regulators in each of the 8 Member States, and its purpose was to assess the current state of steps taken by the target websites to ensure compliance with Article 5(3) of Directive 2002/58/EC (as amended by Directive 2009/136/EC). Article 5(3) details the consent and information requirements applying to the use of cookies. It is implemented into Irish law under Regulation 5(3) of the Electronic Privacy Regulations (S.I. 336 of 2011).

The 478 websites targeted by the ‘cookie sweep’ operate in the e-commerce, media and public sectors. These sectors were targeted as the Article 29 Working Party believes they present the greatest data protection and privacy risks to EU citizens. The targeted websites were also selected from amongst the 250 most frequently visited websites by individuals in each participating Member State.  

The sweep highlighted a number of differences in the use of cookies across the targeted sectors and among the participating Member States. The key findings from the sweep include the following:  

• 16,555 cookies were set across the 478 targeted websites, with an average of 34.6 cookies per site;
• over 70% of the cookies were third party cookies (ie cookies set by parties other than the target websites);
• over 86% of the cookies were persistent cookies (ie cookies that remain on the user’s equipment for the period of time specified in the cookie), with an average duration of between 1 to 2 years;
• 26% of targeted websites provided no notification of any kind on their landing page that cookies were being used;
• the most common cookie notification method was to use a type of banner (59% of targeted websites) or a link in the header or footer (39%), or both;
• of those websites that did provide some information on the use of cookies, 43% of them were considered not to provide sufficient information on the types or purposes of cookie usage;
• of the three targeted sectors, the media sector set on average the highest number of cookies and the public sector set the fewest cookies.

Whilst the sweep did not involve any Irish websites, it does make clear that compliance with notification and consent requirements for cookie usage continues to be monitored across the EU. Frequently visited EU-based websites that are not currently complying with these requirements can reasonably expect to come under scrutiny at some point.

It is also interesting to note that the Article 29 Working Party made clear in its press release that the results of the sweep will be considered at a national level for potential enforcement action. This may act as a further incentive for websites across the EU to ensure compliance with their applicable notification and consent requirements for cookie usage.