EU Cookie Sweep Findings: Could Do Better

Most websites are providing information about cookies, but a lot less are obtaining consent and even fewer providing user controls. These are the broad findings published this week by the ICO and Article 29 Working Party following their cookie sweep conducted last autumn. In many ways it reads like that familiar school report line - could do better (PDF).

Using a tool developed by the ICO, the home pages of just under 500 of the most popular websites across 8 EU member states, including the UK, France, Spain and The Netherlands, were scanned for their cookies. They then followed this up by taking a look at most of these to see what each site was doing to inform visitors about cookie use.

In total they found that around a quarter of the websites had no kind of cookie notice, although this varied widely across different countries. In the Czech Republic 76% of sites had no notice, while in the UK the figure was just 6%.

However, this does not really show the whole picture. In 40% of sites that did have a notice, it was judged to not be sufficiently visible to visitors and a similar number had insufficient information about how cookies were being used.

Consent?

On the issue of whether meaningful consent was being obtained, about half the sites merely stated that cookies were used, with no real request for consent.

It was also noted that whilst they were pleased to see that some sites were offering users direct control over the setting of cookies, this was limited to 16%. I suspect that they would have like to see this figure much higher.

What Happens Next

The report was keen to point out that this exercise was never about establishing compliance with the law. Indeed it highlights the limited nature of the scan by stating that verifying the accuracy of statements about the use of cookies on particular sites was out of scope, which seems like a missed opportunity. In our audit work we regularly find a big difference between the cookies being declared on a policy page, and those actually being set. This is usually down to site owners having done a cookie audit 2 or 3 years ago for their initial compliance efforts, and never having done it again despite updating their sites. To get around this problem we advise clients to check for cookie changes at least every six months, but some are starting to do this on a monthly basis.

However despite the claim that this was not a compliance exercise, in a YouTube video explaining the findings, the ICO's Simon Rice says that they will be contacting the UK sites that they felt were falling short.

There was also some indication of a desire to do something about the acceptability of cookies that are designed to persist for a long time. Much was made about how some cookies have extremely long lifespans – many years more than the likely lifetime of the device they were saved to, or possibly the company setting them in some cases. In the concluding remarks the report talks of “a discussion regarding the acceptable maximum duration” of a cookie. Might such discussion be part of the review of the law that has been tabled for 2016?