The specific websites that were investigated are not identified (as yet), however those selected were amongst the 250 most frequently visited by individuals within each member state taking part in the investigation (as ranked by Alexa.com). Sites in the media, e-commerce and public sectors were targeted in particular because they are perceived by the EU data protection regulators to present the greatest data protection and privacy risks to EU citizens.
The investigation was led by the UK’s Information Commissioner’s Office (‘ICO’) and involved an automated and manual examination of the sites in question by seven other privacy regulators from the Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia and Spain.
Key findings of the Investigation
- 26% of sites provide no notification that cookies are being used. Of those that do provide a notification, 50% merely inform users that cookies were in use without requesting consent.
Other key findings of the investigation include that:
- High numbers of cookies are being placed by websites (more than 160,000 were set across the 478 sites investigated). The average website places 34 cookies on a device during a visitor’s first visit.
- 70% of the cookies set on the websites are third party cookies (i.e. set by websites other than the one being visit, for example those set for the purposes of targeted behavioural advertising).
- The expiry dates for cookies are often excessive; the investigation detected some which will not expire until 31st December 9999 (nearly 8000 years in the future!).
This is not just about website cookies
It is important to remember that while the recent investigation focused primarily on the use of HTTP cookies, any device identifying technologies are equally subject to the notice and consent requirements (including device fingerprinting and local shared objects). The notice and consent rules also apply to cookies and other device identifying technologies used on mobile applications (as well as websites) so the regulator’s findings are applicable to all providers of online services.
Time to enforce?
Will the report result in enforcement action against infringing online services? Well, the Article 29 Working Party has put website operators on notice that the results of the sweep will be considered at a national level for potential enforcement action. The ICO has already stated that it intends to write to those organisations who are still failing to provide basic information on their websites before considering whether further action is required. We also await further information from the other regulators involved in the review, including the Netherlands, France and Spain who have previously issued fines for websites who have failed to comply with the cookie consent requirements.
All websites and mobile application providers based in Europe or offering their services to European-based users should heed the results of this investigation as an urgent call to action. In particular, this investigation demonstrates that the EU regulators have the technology to conduct automated sweeps of online services to see what cookies are set and they are not afraid to use it.