On 7 June 2012, the Article 29 Working Party issued an opinion on the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s terminal device via cookies and similar technologies.

Article 5.3 of Directive 2009/136/EC provides two criteria following which cookies are allowed to be exempted from this requirement of informed consent:

  1. the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network;
  2. the cookie is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

Following the opinion, the above criteria are intended to ensure that the test for qualifying for such an exemption remains high.

In this light, the first criteria must be interpreted as a cookie being strictly necessary for communications taking place over a network between two parties. As such this criteria encompasses cookies that are necessary to route information over the network (e.g. identifying communication endpoints), to exchange data items in their intended order (e.g. numbering data packets) or to detect transmission errors or data loss. The second criteria can, in the Working Party’s opinion, only be invoked if the user did a positive action to request a service with a clearly defined perimeter or the cookie is strictly necessary to enable the information society service: if the cookies are disabled, the service would not work.

In application of the above criteria, the Working Party confirms that the following cookies can be exempted from informed consent under certain conditions, if they are not used for additional purposes:

  1. user input cookies (session-id), for the duration of a session or persistent cookies limited to few hours in some cases;
  2. authentication cookies, used for authenticated services, for the duration of a session;
  3. user centric security cookies, used to detect authentication abuses, for a limited persistent duration;
  4. multimedia content player session cookies, such as flash player cookies, for the duration of a session;
  5. load balancing session cookies, for the duration of the session;
  6. UI customization persistent cookies, for the duration of a session (or slight more);
  7. third party social plug-in content sharing cookies, for logged in members of a social network. (SCO)

The opinion can be found on

http://ec.europa.eu/justice/data-protection