During its meeting in early June, the Article 29 Working Party (the “Working Party”) issued an Opinion on cookies that analyses the exemptions to the requirement for informed consent, and sets how the revised e-Privacy Directive impacts cookie usage.
Article 5.3 of the amended ePrivacy Directive 2009/136/EC provides that cookies are exempt from the need to obtain informed consent when a cookie is:
A. used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” or
B. “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.
To satisfy B above, a cookie has to pass two tests to be exempt:
- The user must take a positive action to request a service with a clearly defined perimeter
- The cookie is required such that if the cookie was disabled, the requested service would not work
The Working Party pointed out that cookies exempt from consent should have a lifespan related to their purpose and must expire once no longer needed, taking into account the reasonable expectations of the average user.
“Third party” cookies are more likely to require consent where they are not strictly necessary, as the data protection risk comes from the purpose(s) for the processing, rather than from the information contained within the cookie.
- Where cookies perform multiple functions, they will only be exempt from the consent requirement if all of the distinct purposes individually satisfy the exemption criteria. The Opinion sets out several helpful examples of situations where cookies will or will not be exempt from the consent requirement by specifically discussing “user-input” cookies, authentication cookies, user-centric security cookies, multimedia player cookies and load balancing cookies, user interface customisation cookies, and social plug-in content sharing cookies.
- Cookies which the Working Party considered to be outside the exemption from consent included social plug-in tracking cookies, third-party cookies used for behavioural advertising, and first-party analytic cookies, even though the Working Party recognized that such cookies represent a low privacy risk where they are limited aggregated statistical data, and where the website operator provides clear information about cookies and adequate privacy safeguards, such as an opt-out from data collection and anonymisation.