The Article 29 Working Party recently adopted a working document providing guidance on obtaining consent for cookies in compliance with EU legal requirements under the revised e-Privacy Directive 2002/58/EC.

The revisions to the e-Privacy Directive 2002/58/EC, implemented by Directive 2009/136/EC (and which were implemented in Ireland under the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011), introduced an obligation on website operators to obtain user consent for the storage of, or access to, cookies. How exactly website operators were expected to comply with this obligation was debated at great length and disparate domestic implementation of Directive 2009/136/EC by EU Member States has contributed to continued uncertainties regarding the actions required by pan-EU websites to ensure compliance with this cookie consent requirement.

This consent requirement applies to cookies with the exception of technical cookies which are strictly necessary for the provision of the service offered by the website.

In an effort to address these uncertainties, the Working Party has considered the four main elements of a valid consent (as set out in its 2011 opinion on the definition of consent) in connection with the cookie consent law requirement:

  • Specific Information: at the time consent is sought, the user must be provided with a clear, comprehensive and visible notice on the use of cookies (eg on the webpage where the user begins a browsing session). This notice must detail the types of cookies being used on the website (which would include details of cookies from third parties and third party access to data collected by cookies on the website) and their purpose. Information as to how users may accept all, some or no cookies and how they may change cookie preferences in the future must also be included in this notice
  • Consent to be Obtained before Cookies are Set or Read: this requires websites to deliver a solution where no cookies are set to a user’s device (except those cookies that may not require user consent) before that user has signalled his or her consent.
  • Active Behaviour: consent for cookies must be provided through a positive action or other active behaviour of the user, in circumstances where the user has been fully informed of the effect of such action. This consent could be achieved by: (i) clicking a button or link; (ii) ticking a box in or close to the space where the notice on cookies is presented; or (iii) any other active behaviour from which a website operator can unambiguously conclude that user consent has been provided. Clicking on a link to more information on cookies will not, of itself, represent a valid consent. Tools to obtain this consent may include splash screens, banners and modal dialog boxes. The Working Party also recognises that where a website operator can be confident that users have been fully informed and have actively configured their browser, such browser settings may represent valid user consent.
  • Consent to be Freely Given: the consent mechanism should offer users a meaningful choice as to the acceptance of cookies so that they may continue to browse the website without receiving cookies or by only receiving those that are required for the provision of the website service and those that are exempt from consent requirements. As such, website operators should not predicate general access to the website on the acceptance of all cookies. Users should also be offered a real choice regarding the use of tracking cookies (ie cookies used to follow individual behaviour across websites, create profiles based on that behaviour, infer interests and take decisions affecting people individually).

Although the Working Document is not a panacea for website operators looking to harmonise their cookie consent mechanisms across the EU, it certainly represents welcome guidance that may greatly assist this process.