Who: Information Commissioner’s Office, Article 29 Working Party
When: 17 February 2015
Law stated as at: 20 April 2015
All readers of this blog will be familiar with wording about “cookies” appearing on most websites they visit. Cookies are small text files containing an ID tag, used to track user activity on (or across) websites. UK websites have had to obtain consent for the placement of cookies on the devices of users since May 2011 when the UK implemented an amendment to the European Union’s E-Privacy Directive in its national law. As the underlying European legislation was a Directive, other EU Member States have also passed legislation to implement the provisions into their national law.
In September 2014, the Article 29 Working Party, set up to advise the EU on data protection, worked with national data protection authorities in 6 Member States to conduct a sweep of 478 websites to gain an overview of the cookie landscape. The sites selected were among the 250 most frequently visited sites in each Member State taking part. The Working Party released its report on February 3, 2015 (the “A29 Report”), and the UK’s data protection regulator, the Information Commissioner’s Office (the “ICO”) released its own summary on February 17.
The participating countries were the Czech Republic, Denmark, Spain, France, Greece, Netherlands, Slovenia and the UK.
The A29 Report highlights a number of differences between cookie usage in the Member States included in the sweep, particularly surrounding the number of cookies set. The UK sites surveyed set a total of 3711 cookies, second only to France, which set 4238.
The ICO has also announced that the UK is the nation which, on average, sets the most cookies per website on a first visit, at 44.2 cookies – the highest mean figure included in the Article 29 report. By way of comparison, Slovenian websites set the fewest with 5.5 per site.
One quirk of the A29 Report is that the mean cookies per website figure for France is not included, but listed as “n/a” without explanation. It appears that, if this mean is calculated using the other figures for France, it comes out at 47.5 – higher than the UK figure. The author would be interested to hear from any readers from the ICO or Article 29 Working Party who can elucidate why a mean figure for France was not included?
Media takes the biscuit
Of the sectors reviewed, media sites were generally the most prolific cookie setters. An unnamed Danish media site topped the individual (dis?)honours list, setting 259 cookies. However this was closely followed by a UK media site, which set 225, and of the 22 sites which set more than 100 cookies, just under half (10) were UK sites.
Across the entire sweep, 70 per cent of cookies being set were third party cookies. These are cookies which are set on a website but controlled by a third party (for example, an advertiser or analytics service). More than half of these cookies (i.e. over 35% of all cookies in the sweep) were set by only 25 organisations – predominantly for the purpose of serving third-party advertising.
The way the cookies crumble
86 per cent of cookies set were also persistent cookies (which last several web browsing sessions) rather than session cookies (which expire when the browser window is closed). Of these, the average cookie expired after one or two years, but some were set up to last as long as 10, 100 or nearly 8000(!) years.
Given the average life of a piece of consumer electronics equipment, there is perhaps less practical difference between an 8000 year cookie and a ten year one than might appear to be the case, however it is clearly also questionable whether either complies with the requirements of the Data Protection Directive to retain data no longer than is necessary for a specified purpose, and this point has been made by the ICO, whose Group Manager for Technology, Simon Rice, was quoted as saying that “While the length of time a cookie needs to remain on a device will depend on the reason why it was originally set, it is difficult to justify an expiry date in the year 9999 for even the most innocent of purposes”.
Granular cookie information?
While the ICO clearly has its concerns regarding the lifespan of certain cookies, the regulator appeared happier with the findings of the A29 Report in relation to the information provided about cookies by UK websites (as per the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”)). In the UK, 94% of the 81 websites included in the sweep provided information on the cookies that were being used on the site. This puts the UK well above the average of the other countries surveyed, where information was only provided in 74% of cases. 59% of sites swept did this via a banner at the top of a webpage, and just over 39% included a link to cookie information in the header or footer. The other requirement of PECR, to allow people to make a real choice as to whether cookies are set, is mentioned briefly in ICO’s report. The A29 Report indicates that 50% of sites requested consent from the user to set cookies, and the other 50% simply stated that cookies were being set. Only 16% of sites provided users with on-site granular controls to turn specific cookies on or off.
Why this matters:
As the cookie laws have now been in place for a while, European data protection regulators will expect websites to be compliant by now. The results of this survey, which show large numbers of cookies being dropped in many countries and consent mechanics only being implemented in 50% of cases, are likely to be seen by regulators as posing a risk to individuals’ personal privacy, which may encourage regulators to look afresh at the area. However, while the primary burden for compliance rests on the website owner, regulators will no doubt be interested in the statistic that 70% of all cookies in the exercise were third party cookies, set by a group of only 25 advertisers. It therefore seems likely that the ICO and other European data protection regulators will be looking carefully at the cookie practices of such organisations.
Cookie lifespan is clearly a concern for the regulator, and organisations setting expiry dates in the far future should note that these are likely to be in breach of the law in this area unless such a date is justifiable. There does not appear to have been any regulator action on this in the UK to date, nor on consent mechanics – although fines have been levied by French, Italian and Dutch regulators for inadequate consent mechanics – however an exemplary challenge by the ICO in either of these areas may not be ruled out.
The ICO notes in its summary of the A29 Report that the scale of cookie usage may come as a surprise to many people. However, sites in the UK appear to be doing reasonably well at providing information regarding the cookies being used. Perhaps more so than the lifespan and consent issues, non-compliance with the information requirements is likely to be relatively simple for the ICO to identify and challenge. While website owners should take steps to ensure that their sites comply with the cookie laws in full, those whose sites do not even provide adequate information on cookies may be exposing themselves to particular risk.