UK websites are the worst offender in Europe when it comes to the volume of cookies they place on users’ computers, with expiry dates for some set much too far in the future, according to the ICO.
The UK privacy watchdog this week revealed details of a new report analyzing over 470 websites across eight European countries.
It found that the UK sites placed an average of 44 cookies on a user’s PC – the highest in Europe, which had an average of 34.
Some 70% of cookies are set by third party sites, with the remainder first party cookies, and 86% were persistent.
However, the level of that persistence varied tremendously.
Cookies set by three sites surveyed, one of which was British, will not expire until 31 December 9999 – that’s in 7984 years time.
ICO group manager for technology, Simon Rice, claimed in a statement that there’s “clearly an issue with the lifespan” of some cookies.
“Developers must consider the implications of using certain settings in their code. Setting a long expiry on a cookie means that it will not only outlive the usefulness of the device, but also the person using it at the time,” he added.
“While the length of time a cookie needs to remain on a device will depend on the reason why it was originally set, it is difficult to justify an expiry date in the year 9999 for even the most innocent of purposes.”
However, there was some praise for UK sites – namely that they scored best in terms of notifying visitors.
Some 94% of those surveyed provided information to explain how cookies are used on the site, compared to just 74% elsewhere in Europe.
This is in line with the Privacy and Electronic Communications Regulations (PECR) – a UK implementation of the EU-wide e-Privacy Directive which was updated in 2012 with the new rules on notifying web users.
The ICO warned that technologies that operate in a similar way to cookies, including some forms of device fingerprinting, also require visitors’ consent before being placed on a computer.
Mark James, security specialist at Eset, argued that cookies generally do a “really important job” at improving the browsing experience for users by remembering preferences – and will be kept by most people.
“The problem with a lot of software is deciding if you need it or not. In an ideal world cookies should have a relatively short expiry time and renewed each time you visit the page,” he told Infosecurity by email.
“If you want to be cautious then clean your cookies on a regular basis. Most of the well-known browsers make this very easy for you in the privacy sections, but remember next time you log in to your favorite website you may be prompted for your username and password again.”