On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or similar tracking technologies. Notably, the directive purports to reach beyond the borders of European Union to apply to any website directed to or collecting data from European citizens.
To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent.
The report identified several areas for improved compliance with cookie requirements. In particular, covered website operators should, according to the Article 29 Data Protection Working Party, take the following steps to ensure compliance:
- Obtain consent from the user before using cookies (50% of sites analyzed failed to request consent and merely informed users that cookies were in use);
- Give adequate notice to users that the website employs cookies as a tracking tool (26% of sites analyzed did not provide any cookie notification on the first page visited);
- Provide sufficiently detailed information regarding the types and purposes of cookies used (43% of sites analyzed provided inadequate information to users); and
- Set a reasonable duration period, taking the cookie’s purpose into account (some of the cookies analyzed had duration periods ranging from 68 to nearly 8,000 years, far beyond the average one to two year duration).
The cookie sweep and report highlight the EU’s continued focus on cookie requirements as an enforcement target going forward. The Article 29 Data Protection Working Party plans to leverage the report’s findings to refine policy positions and provide a basis for any coordinated enforcement activity that may be required. As a result, website operators who target or collect data from European citizens should review their cookie notice and choice practices, taking into consideration the ePrivacy Directive’s requirements as implemented in the EU Member States.