Font Size

A cookie can last 7984 years


The Information Commissionerís Office

Computer/Internet/Software Articles
Submit Articles   Back to Articles
  • UK websites place more cookies but give more information than any other country surveyed

An international study led by the UKís Information Commissionerís Office (ICO) into the use of cookies has revealed that some websites are placing cookies on computers and other devices that will long outlast the usefulness of the device.

A cookie is a small file of letters and numbers that is stored on a device when it is used to visit a website. Cookies are used by many websites and can do a number of things, eg remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. Some cookies, known as third party cookies, can also be used to record information based on how the user is interacting with other websites.

The study involved an automated and manual examination of 478 websites by eight privacy regulators from the European Article 29 Working Party and other national regulators who have responsibility for enforcing the rules on cookies. The key findings from the research are:
  • The websites surveyed set a total of 16,555 cookies.
  • The average website placed 34 cookies on a device during a personís first visit. UK websites placed an average of 44 cookies on a first visit, the highest of any country surveyed.
  • 70% were third party cookies (set by websites other than the one being visited). 30% of cookies set were first party cookies (set by the site being visited).
  • 86% of cookies were persistent cookies (remain on a personís device after use). 14% were session cookies (removed after a personís browsing session has ended).
  • The average cookie is set to expire after one to two years but some cookies were being set for as long at 10, 100 or even nearly 8000 years.
  • 31st December 9999. Cookies set by three websites would not expire until 9999. One of these websites was based in the UK.

The use of cookies in the UK is governed by the Privacy and Electronic Communications Regulations (PECR). The regulations require organisations to provide clear information about how cookies are used on their website and allow people to make a real choice about whether they are happy for non-essential cookies to be placed on their device.

In the UK, 94% of the 81 websites surveyed provided information to explain to visitors how cookies were being used on the site. This compares favourably when compared to elsewhere across Europe where only 74% of the websites surveyed provided any information about cookies.

The most common method of informing visitors about the use of cookies was by using a banner at the top of a webpage. This approach was used by 59% of the websites surveyed where information was provided. Just over 39% used a link to further information about cookies in the header or footer of a webpage.

ICO Group Manager for Technology, Simon Rice, said:

ďAny web developer will tell you that cookies are a vital tool for making the web work. However, the number of cookies out there may come as a surprise to many, particularly in the UK where the average website sets more cookies than for any of the other countries surveyed.

ďThereís also clearly an issue with the lifespan of some of these cookies. Developers must consider the implications of using certain settings in their code. Setting a long expiry on a cookie means that it will not only outlive the usefulness of the device, but also the person using it at the time. While the length of time a cookie needs to remain on a device will depend on the reason why it was originally set, it is difficult to justify an expiry date in the year 9999 for even the most innocent of purposes.

ďHowever, the encouraging thing from a UK perspective is that organisations in our region are performing better than our European counterparts when it comes to informing people about the use of cookies on their website. We will be writing out to those who are still failing to provide basic information on their website before considering whether further action is required.Ē

The research was carried out between 15 and 19 September 2014. The number of cookies on each website was recorded and logged using a tool developed by the ICO. This was followed by a manual review of each website by the relevant national regulator to see what information was provided to consumers about the cookies placed by the website.

You can watch a video interview with Simon Rice discussing the reportís key findings and what organisations should take away from this research on the ICO website.

A full copy of the report, providing further information about how the survey was conducted and its key findings, is available on the Article 29 Working Party website.

The ICO has produced detailed guidance to help organisations in the UK make sure their websites comply with the PECR by informing people how cookies are being used. The Article 29 Working Party has also recently published an opinion supporting the ICOís view that the use of online technologies that operate in a similar way to cookies, including some forms of device fingerprinting, still require an individualís consent before being placed on their device.

If you are concerned about the use of cookies on a particular website based in the UK then you can report the details using the ICOís online reporting tool. Further information about the work carried out by the ICO to regulate the rules relating to cookies can be found on the ICO website.


If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at:

  1. The Information Commissionerís Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

  3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

About the Article 29 Working Party
  1. The Article 29 Working Party is made up of representatives of the 27 EU data protection authorities, including the ICO, plus Norway, Iceland and the European Data Protection Supervisor.

About the Author

The Information Commissionerís Office is the UKís independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We do this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken.

The ICO enforces and oversees the following legislation:

  •  Data Protection Act 1998
  •  Freedom of Information Act 2000
  •  Privacy and Electronic Communications Regulations 2003
  •  Environmental Information Regulations 2004

Follow us @Scopulus_News

Article Published/Sorted/Amended on Scopulus 2015-02-19 12:03:39 in Computer Articles

All Articles

Copyright © 2004-2021 Scopulus Limited. All rights reserved.