The Article 29 Working Party has recently published Working Document 02/2013 providing guidance on obtaining consent for cookies (“Working Document”). The Working Document clarifies existing rules regarding the use of cookies and similar technologies and provides a checklist for ensuring EU-wide compliance with applicable laws.

According to the Working Document, websites should implement consent mechanisms that provide a “clear, comprehensive, and visible notice on the use of cookies.” Consent must be given prior to placing any cookies other than those essential for the operation of the website on users’ devices. Furthermore, consent must be specific and based on appropriate information. Necessary information includes a description of the cookies used and their purposes, including those of third parties. Users should also be informed of their ability to selectively accept and modify their cookie settings. Thus, blanket consent, which fails to specify the purpose of data processing measures, is not acceptable.

Consent must be given freely and obtained through active user behavior, i.e., a traceable user-client request towards the website from which a website operator can unambiguously conclude that consent is specific and informed. Active consent thus includes, for example, clicking on a button or a link, or ticking a box. Browser settings represent sufficient consent only when a website operator is confident that the user has been fully informed and actively configured their browser. Cookie and consent related information must be presented in a manner whereby users are most likely to acknowledge it as such and not mistake it for other content. Accordingly the information must remain visible until consent is given and a mere click on a link to “more information on cookies” cannot be deemed sufficient evidence of consent.

Although some Member States allow making website access contingent on cookie acceptance, the Article 29 Working Party advises that user access to general content should be unconditional. Thus, a user should generally be able to browse web pages without accepting cookies or by receiving only some of them, such as those necessary for the operation of the website and those exempt from the consent requirement. Nevertheless, access to specific website content can be limited if cookies are used for legitimate purposes.