The Article 29 Working Party has recently published the results of a survey on cookie usage of 478 websites frequently used by European citizens. According to the survey, there's improvement in information but cookies are still being set without consent.
A cookie is a small piece of information placed on a person’s computer when they visit a website. They can be used to remember the users’ preferences, record items placed in a shopping basket and carry out various other tasks based on how that person uses the site. Some cookies, known as third party cookies, can also be used for many purposes including to record information based on how the user is interacting with other websites. The survey of has shown that many website operators inform their users about cookies but that 1. high numbers of cookies are being placed by websites, 2. expiry dates are often excessive and 3. the websites still have more work to do on providing information and gaining valid consent for their use of cookies.
In Luxembourg, the Act of 30 May 2005 on the protection of privacy in the electronic communications sector is applicable in the matter. This law, which is a transposition of the European Directive 2002/58/EC ("ePrivacy"), requires website operators to gain consent for the use of cookies and similar technologies unless a valid exemption applies. These exemptions have been analysed in detail in Opinion 4/2012 by the Working Party.
The key findings from the research are:
- More than 16000 cookies were set across the sites with those in the media setting the highest average number of cookies (50);
- 22 sites set more than double this average (>100 cookies) when a user visited their home page;
- 70% of the cookies encountered were set by third-parties and more than half of these cookies were set by just 25 domains;
- The average expiry of cookies was found to be between 1 and 2 years, 20% of cookies observed had an expiry date of between 2 and 5 years and 374 were observed with an expiry date of greater than 10 years. However, 3 cookies seen in the sweep had been set with the expiry date of 31 December 9999, nearly 8000 years in the future. Given that the duration can be intentionally renewed by the website operator on each visit it is the case that many of these cookies would survive the lifetime of the device;
- 26% of sites provided no notification that cookies were being used. Of those that did provide a notification, visibility could be improved in 39% of cases and half (50%) merely informed users that cookies were in use without requesting consent.