Privacy & Information Security Law Blog

On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.

Target Websites

The target websites were selected because the Working Party viewed them as presenting the greatest data protection and privacy risks to EU citizens. The target sectors chosen were media, e-commerce and the public sector, and the target websites were chosen among the 250 most frequently visited websites based on the Alexa ranking within each EU Member State participating in the sweep. The methodology of the cookie sweep consisted of two stages. The first stage included a statistical review of cookies used by websites and their technical properties. The second stage included a more detailed manual review of cookie information and consent mechanisms.

Main Results

The sweep brought to light a number of differences in the use of cookies across the various industry sectors and among the different EU Member States. The sweep also identified areas for improvement, including a few cookies with duration periods of up to nearly 8,000 years, which is in contrast to the average duration period of 1 to 2 years. In addition, the sweep discovered that 70% of the 16,555 cookies recorded were third party cookies. More than half of the third party cookies were set by just 25 third party domains. The sweep also found that a website banner was the method generally used to inform users of cookie use. The Working Party stated in its report, however, that there are still a number of websites that do not provide sufficient notice that cookies are used (e.g., 26 % of the sites do not provide any notice), do not obtain consent from the user (e.g., 54 % of the sites), or provide adequate information regarding the use of cookies.

The report stated that target websites in Slovenia set fewer cookies across all target sectors. At the same time, media sites in Denmark, France and the UK set a higher number of cookies as compared to sites in the media sector in other participating EU Member States. In addition, target websites in Slovenia and Greece showed a higher proportion of first-party cookies compared to websites in other participating EU Member States. With respect to public sector websites, the report revealed that, on average, public sector websites use the fewest number of cookies overall but the highest number of first-party cookies. According to the report, media sites use, on average, the highest number of cookies. Media sites also used the most third party cookies and used persistent cookies with the greatest frequency. The report noted, however, that some media sites (and e-commerce sites) did not use any third party cookies.

Other Sweeps

On September 10, 2014, the Global Privacy Enforcement Network (“GPEN”) published the results of an enforcement sweep conducted in May 2014 to assess mobile app compliance with data protection laws. And on May 6, 2013, the GPEN announced its first “Internet Privacy Sweep,” in which 19 data protection authorities participated.