The Article 29 Data Protection Working Party has recently released an opinion on the EU Cookie Directive [http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf]. The Article 29 Working Party is an independent advisory body including members from the states’ data protection authorities and the European Commission. While the Article 29 Working Party’s guidance is not binding, it does provide a consensus opinion of the European data protection authorities, and the opinion is therefore highly instructive for companies operating in Europe.
In the opinion, the Working Group considers what types of cookies may be exempt from the consent requirement under the Directive. The Directive explicitly provides for two types of exceptions:
- if the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network,” or
- if the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
The opinion explains that Criterion A exceptions might occur when the sole purpose of the cookie is to route information over a network, to exchange data items in their intended order, or to detect transmission errors or data loss. Criterion B exceptions require that the cookie is necessary to provide specific functionality to the user and the functionality is one that the user has explicitly requested as part of its use of the information service.
The Working Group notes that in general, first party cookies, meaning those set by owners of the site the user is currently visiting, and cookies whose lifespan is directly proportional to their purpose, most likely session cookies, are more apt to fall into an exemption. However, the opinion counsels that it is necessary to understand the specific purpose and implementation of a cookie in order to understand whether it falls into an exemption under Criterion A or B. Additionally, multipurpose cookies must be considered under each of their purposes and uses.
On the other hand, the opinion explains that social media plug-in cookies are likely not exempt if they are following non-members or members who are logged out, or if they are tracking cookies providing behavioral advertising, analytics, or market research. Additionally, cookies would not be exempt if they relate to third party advertising such as frequency capping, financial logging, affiliation, click fraud detection, research and market analysis, product improvement and debugging.
Lastly, the Working Group notes that cookies used for first page analytics, such as to monitor unique website visitors, are likely not exempt under either Criterion A or B. However, the opinion explains that if this data is only used for aggregated statistical purposes and is anonymized, it likely does not pose a large privacy risk. The opinion suggests that if the Directive is revisited, this could be a useful exemption.
Companies subject to the European Directive should carefully consider all of the purposes and functions of their cookies. When analyzing the Criterion B exemption, companies should bear in mind what the user would think is strictly necessary for the service, not what the service provider thinks is strictly necessary. If a company is in any doubt about whether a cookie falls into an exemption, it is advisable to gain consent from the user. While the opinion does not explicitly define what constitutes adequate consent, it does give examples of adequate consent such as users clicking boxes indicating they want to be remembered/allow cookie use, and advises that companies should consider simple and unobtrusive ways to gain user consent.