On 3 February 2015 the Article 29 Data Protection Working Party (WP29) published the results of its investigation into the use of cookies on European websites, which it describes as a cookie sweep analysis.
WP29 conducted a sweep of up to 478 websites across eight Member States, including France, the Netherlands and the United Kingdom, but not Belgium. All of the websites were related to the e-commerce, media and public sectors. These target websites were selected as those considered by WP29 to present the greatest privacy risks to EU citizens.
On the basis of an automated scan, the number and type of the cookies set were determined per website. By means of a manual sweep, the steps taken by the site to inform users that cookies were in use and the steps taken to obtain cookies were recorded. Visibility and quality of cookie information were among the features that were taken into account. However, the sweep only focused on the use of cookies and the level of information provided; there was no assessment of cookie regulation compliance.
Here are some remarkable results:
- Almost all websites set cookies. Only seven of the 478 target websites did not set any cookies. The target websites placed an average of 34.6 cookies.
- More than 86% of the cookies are persistent cookies (cookies that do not disappear when the browser session is closed). They have an average duration of one to two years –which, according to WP29, is a useful starting point for a discussion regarding an acceptable maximum duration for cookies (although the purpose of the cookie will also need to be taken into account). Some of the cookies set have an extremely long duration of nearly 8,000 years!
- Approximately 70% of the cookies used are "third party cookies", which are cookies that are set by a domain other than the website visited. More than half of them were set by just 25 third-party domains.
- Most websites use a banner (59%) or a link in a header or footer (39%) to indicate the use of cookies. 54% of the target websites inform the user, but do not ask the user's consent to set cookies. Some 26% of the websites do not inform the user at all that cookies are being set.
The full report can be read here.