Study finds that cookies will stay live for 8,000 years!

The Article 29 working party, along with various national regulators, has recently conducted a cookie sweep to assess compliance with Article 5(3) of the E-Privacy Directive (consent for cookies and other similar technologies).

National regulators from the Netherlands, Czech Republic, Denmark, France, Greece, Slovenia, Spain and the UK conducted a sweep in their respective jurisdictions of 478 websites in the e-commerce, media and public sectors. The sectors chosen by the working party were those which were considered to present the greatest data protection and privacy risks to EU citizens. The websites chosen were among the 250 most frequently visited by individuals within each member state taking part. The websites surveyed set a total of 16,555 cookies, equating to an average of 34.6 cookies per site.

The sweep produced some surprising results and also highlighted differences in cookie use across member states. For example, cookies set by three websites had an expiry date of the 31st December 9999, whereas a normal expiry date would be 1 or 2 years. A total of 4,901 first party cookies and 11,654 third party cookies were set across the 478 sites ( first party cookies are set by the website visited by the user and third party cookies are set by a domain other than the one visited by the user). This breaks down to an average of 10.3 first party cookies and 24.4 third party cookies per site.

A total of 2,302 session cookies and 14,253 persistent cookies were also set across the 478 websites (a session cookie allows websites to link the actions of a user during a browser session and a persistent cookie is stored on a user’s device between browser sessions). This is an average of 4.8 session cookies and 29.8 persistent cookies.

Media websites showed a greater use of third party and persistent cookies compared to public and e-commerce sites whereas public sites showed the most use of first party and session cookies. Of the 478 sites, 22 set more than 100 cookies (first and third party).

The duration of first party cookies was also surprising. Seventeen first party cookies were set by fifteen different sites with an expiry date of 100 years. The average duration of first party cookies was 14 years. Twenty seven third party cookies were set by fifteen first party sites with a life of 68 years. The average was 1.77 years.

In the UK 94% of the 81 websites surveyed provided an explanation to visitors to the site how cookies were being used. This was good when compared to elsewhere across the EU where 74% of websites surveyed provided an explanation of cookie use.

The longevity of some of the cookies, and the large amount used by some sites, will be the subject of further work from the national data protection authorities.

At PwC Legal and PwC, we have a multi-disciplinary team of professionals who can help you to devise cookie, beacons, OBA and analytics programmes that are globally fit for purpose.  We will be pleased to discuss this topic further with you.

Mick Gorrill |  Head of Data Protection Enforcement and Regulatory Affairs| PwC Legal
[email protected] | +44 (0)161 245 2546

More articles by Mick Gorrill