'Action needed' to meet UK's cookie tracking deadline
There are on average 14 tracking tools per webpage on the UK's most popular sites, according to a study.
Privacy solutions provider Truste suggests that means a user typically encounters up to 140 cookies and other trackers while browsing a single site.
The research was published less than 40 days before strict rules come into effect governing cookie use.
The study was carried out in March and covered the UK's 50 most visited organisations.
The firm said that 68% of the trackers analysed belonged to third-parties, usually advertisers, rather than the site's owner.
"The high level of third-party tracking that is taking place is certainly an area of question and scrutiny," Dave Deasy, Truste's vice president of marketing, told the BBC.
"It's not illegal to do the tracking - the question is whether you are giving consumers enough awareness that it is happening and what you are doing with the data."Deadline
On 26 May the UK's Information Commissioner's Office (ICO) imposes an EU directive designed to protect internet users' privacy.
It says website managers must:
- Tell people that the cookies are there
- Explain what the cookies are doing
- Obtain visitors' consent to store a cookie on their device
"The information needs to be upfront - without information people can't give consent," the ICO's principal policy adviser for technology, Simon Rice, told the BBC.
The ICO says the rules cover cookies used to provide information to advertisers, count the number of unique visitors to a page and recognise when a user has returned to a site to adjust the content that is subsequently displayed.
However, it says exceptions are likely to be made if the cookie is only being used to ensure a page loads quickly by distributing the workload over several servers, or is employed to track a user as they add goods to a shopping basket.
Many sites have yet to add a feature asking for users' consent.
95% of 55 major UK-based organisations surveyed on behalf of KPMG were still not compliant with the cookie law at the end of last month, the accountancy firm reported.
Cookies are small files that allow a website to recognise and track users. The ICO groups them into three overlapping groups:
Files that allow a site to link the actions of a visitor during a single browser session. These might be used by an internet bank or webmail service. They are not stored long term and are considered "less privacy intrusive" than persistent cookies.
These remain on the user's device between sessions and allow one or several sites to remember details about the visitor. They may be used by marketers to target advertising or to avoid the user having to provide a password each visit.
First and third-party cookies
A cookie is classed as being first-party if it is set by the site being visited. It might be used to study how people navigate a site.
It is classed as third-party if it is issued by a different server to that of the domain being visited. It could be used to trigger a banner advert based on the visitor's viewing habits.
The move has proved controversial.
A survey published last month by the digital marketing firm, Econsultancy, found that 82% of 700 marketers contacted did not believe the cookie law was a positive development.
One respondent said: "Plain and simple - this will kill online sales."
The claim reflects a belief that when presented with a choice, most users would refuse to allow cookies to track them - making it impossible, for instance, for a retailer to target adverts for a computer at a user who had previously looked at an article about upgrading IT equipment.
The ICO's own research suggests this could be an issue. Since asking users to click a box if they agree to accept cookies from its site, the organisation says just 10% of visitors have complied.
However, BT's experience points to a possible solution.
Since March a pop-up message on its home page has told first-time visitors that unless they take up an offer to change its settings, then they have consented to its "allow all cookies" default rule.
"So far, we can see that customers are generally choosing to keep the cookies that we use to provide the best experience on our webpages," a spokeswoman told the BBC.Early adopter
The ICO says it has not been prescriptive about the wording that firms use.
However, organisations need to be careful about relying too heavily on opt-out schemes.
"At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent," the regulator warns.
It adds that those who fail to implement its rules properly could be fined up to £500,000.
Truste says companies across the EU and beyond will closely watch how the regulator enforces the directive.
"A lot of this starts with making sure companies understand what level of third-party tracking is actually happening on their sites - in many cases they don't," said Mr Deasy.
"The UK is somewhat taking a leadership role in terms of actually following through and having a hard date for when compliance needs to start taking place."