Could some cookies outlive the pyramids?

Wragge Lawrence Graham & Co's privacy experts examine the findings of a new report on cookie usage, explain what it might mean for websites in the future and provide their top 10 cookie tips.

What has happened?

European regulators have published a report (the Report) on cookie usage after examining 16,555 cookies placed by 478 websites frequently visited by European citizens. The study comprised two parts. The first was a statistical review of cookies used by websites and their technical properties. The second was a more in-depth manual review of cookie information and consent mechanisms.

The headline findings are:

• high volumes of cookies are being placed by websites with excessive expiry dates (some lasting as long as 7,984 years); and
• websites still need to do more to provide information and gain valid consent for their use of cookies.

What is a cookie?

A cookie is a small piece of information placed on a person's computer when they visit a website. They can be used to remember the users' preferences, record items placed in a shopping basket and carry out various other tasks based on how that person uses the site. Some cookies, known as third party cookies, can also be used for many purposes including to record information based on how the user is interacting with other websites.

The use of cookies and similar technologies (all of which, for simplicity, we will just refer to as 'cookies') in the UK is governed by the Privacy and Electronic Communications Regulations (PECR). The PECR require organisations to provide clear information about how cookies are used on their website and allow people to make a real choice about whether they are happy for non-essential cookies to be placed on their device.

The Information Commissioner's Office (ICO), which is the UK's overarching privacy regulator, has produced detailed guidance to help organisations in the UK ensure their websites comply with the PECR.

Key findings of the Report

1. The 478 websites surveyed over five days placed a total of 16,555 cookies.
2. The average website placed 34 cookies on a device during a person's first visit. UK websites placed an average of 44 cookies on a first visit, the highest of any country surveyed.
3. 26% of sites provided no notification that cookies were being used. Of those that did provide a notification, visibility could be improved in 39% of cases and half merely informed users that cookies were in use without requesting consent. Only 6% of websites in the UK provided no notification that cookies were being used.
4. A notification banner was a popular method of informing website visitors regarding the use of cookies in addition to a link in the header or footer to more information.
5. Only 16% of sites gave users a granular level of control to accept a subset of cookies with the majority relying on browser settings or a link to a third-party opt-out tool.
6. 70% of the 16,555 cookies were third party cookies (i.e. placed by websites other than the one being surveyed) and more than half of these cookies were placed by just 25 domains. 30% of cookies were first party cookies (i.e. placed by the site being visited).
7. 86% of cookies were persistent cookies (i.e. remain on a person's device after use). 14% were session cookies (i.e. removed after a person's browsing session had ended).
8. The average cookie is set to expire after one to two years, but some cookies were being placed for as long as 10, 100 or even nearly 8,000 years.
9. Cookies placed by three websites would not expire until 23:59 on 31st December 9999 (the maximum possible lifespan). One of these websites was based in the UK.

What will happen next?

In the short term, the ICO will be contacting those UK websites that failed to provide adequate information in relation to cookies before considering whether further action is required.

Although the Report is keen to stress its purpose is to assess the extent and use of cookies, rather than to assess compliance, clearly in the long term the Report will dictate what European regulators deem best practice for websites obtaining consent from users for cookies. Indeed, the ICO's Group Manager for Technology, Simon Rice, recently said the ICO intends to work with other European regulators and industry and trade bodies to devise and promote best practice following the Report.

What will best practice look like?

It is likely any guidance on best practice will address the headline findings of the Report as stated above.

High numbers of cookies are being placed by websites

As web developers know, cookies are a vital tool for making the internet work; hence, a fixed limit on the number of cookies placed by a website is unlikely. Introducing an element of whether the number of cookies placed is reasonable taking into account the purpose of both the website and the cookie and whether the user was adequately informed is possible.

Expiry dates are often excessive

There is clearly an issue with the lifespan of some cookies. Setting an excessively long expiry date means the cookies will not only outlive the usefulness of the device, but also the person using it at the time. While the length of time a cookie needs to remain on a device will depend on the reason it was originally placed, it will be difficult to justify an expiry date 7,984 years in the future for even the most innocent of purposes.

Excluding cookies with a long duration (i.e. greater than 100 years) the average duration of cookies in the Report was between one and two years. This will likely be the starting point for discussions regarding an acceptable maximum duration, although the purpose of the cookie will also need to be taken into account.

Websites must do more to provide information and gain valid consent for their use of cookies

By law, European websites must obtain consent from internet users for the use of cookies and similar technologies. The ambiguity arises over what constitutes valid consent.

The Report confirmed a website that does not offer the full range of user control mechanisms for accepting cookies would not immediately be deemed non-compliant. Hence, while explicit user consent (e.g. a user physically clicking an "I accept" notification) might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances, this does not mean implied consent (e.g. a banner appearing notifying the user cookies are in use) cannot be compliant.

Indeed, implied consent has always been a reasonable proposition according to the ICO and the Report and the ICO confirm it remains so in the context of storage of information or access to information using cookies. The exception to this laid back approach from the ICO is where site operators collect sensitive personal data (e.g. information about an identifiable individual's health), in which case data protection laws will likely require explicit and informed consent from the data subject.

(See the ICO's code of practice for good practice advice on how to treat personal data collected and used online.)

In practice, because not all data protection regulators are as accommodating as the ICO and may require explicit informed consent (rather than implied consent), some organisations may decide on a one size fits all approach for websites with multi-national reach.

The Report serves as another reminder of the impending transformation of Europe's data protection and privacy landscape (see our recent report on the proposed new data protection regulations). One thing is for certain, however: the fewer 7,984 year old cookies there are, the better.

Here are our top 10 cookie tips

1. Draw up a list of countries that your website(s) is/are aimed at, then for each country determine whether they need explicit consent to place cookies or whether implied consent will do.
2. In explicit consent countries investigate the risk of non-compliance. Is it a sufficiently high risk country that explicit consent should be obtained or is it sufficiently low risk that a one size fits all approach of 'implied consent' can be taken?
3. Determine what other associated risks of non-compliance exist in particular countries. For example, in Germany even if the data protection regulator doesn't come after you, your competitors might on grounds of anti-competitive behaviour (your breach of the law having given you a competitive advantage).
4. Remember the cookie rules apply only to cookies that are not 'strictly necessary'.
5. Keep in mind that the views of data protection regulators on what is 'strictly necessary' can differ from country to country.
6. Make sure that your descriptions of cookies used are informative and easy for the lay person to understand.
7. Don't ignore third party cookies on your website - you (as well as the third party) are responsible for them.
8. If a session cookie will suffice - use a session cookie. If any settings need to be remembered, keep the cookie's lifespan to a minimum period.
9. Decide what cookies you really need and only use those. It is not uncommon for web owners to cookie review their sites and find 'old' cookies hanging about that they have no use for.
10. Keep an eye on your cookies!