Cookies are small files that are sent to a users’ computer, phone, tablet or other electronic device by a web server, which store information about that user and his interaction with the web server. The Directive established a requirement to gain informed consent from users in order to put cookies on their devices. The Working Party opinion examines the scope of the two exemptions from that requirement which are available if a cookie is:
Criterion A: used ‘for the sole purpose of carrying out the transmission of a communication over an electronic communications network’, or
Criterion B: ‘strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’
In its Opinion the Working Party states that where a cookie is multi-purpose, it is necessary for every distinct purpose of such a cookie to be exempt to ensure that user consent is not required. The Opinion also states that a cookie which is exempt from consent should only last on a users’ device for an amount of time directly relative to its exempt purpose.
The Working Party makes clear that its analysis is conducted without prejudice to the right to be informed and the eventual right to oppose set forth in Directive 95/46/EC, which apply to personal data processing whether cookies are used or not.
The Opinion focuses on the use of the words ‘sole purpose’ in the exemption under criterion A, stating that it is not sufficient if only part of a cookie’s purpose is to carry out transmission of a communication over an electronic communications network. In the Opinion, the Working Party also states that ‘simply using a cookie to assist, speed up or regulate the transmission of a communication over an electronic communications network is not sufficient. The transmission of the communication must not be possible without the use of the cookie’.
The Working Party provides three elements it considers strictly necessary for communications to take place over a network between two parties:
- The ability to route the information over the network, notably by identifying the communication endpoints.
- The ability to exchange data items in their intended order, notably by numbering data packets.
- The ability to detect transmission errors or data loss.
A cookie with the sole purpose of fulfilling any of the above three elements would, in the Opinion of the Working Party, be exempt under criterion A. The Opinion confirms that certain ‘load balancing’ cookies used to maintain consistency of processing will be exempt under this criterion, provided such cookies are session cookies.
The Working Party Opinion sets out two tests which a cookie must pass, in order to rely on an the criterion B exemption from the requirement to gain informed consent, as follows:
- A cookie is necessary to provide a specific functionality to the user (or subscriber): if cookies are disabled, the functionality will not be available.
- This functionality has been explicitly requested by the user (or subscriber), as part of an information society service.
The Working Party sets out a selection of cookies which are likely to be able to pass this test, and for which informed consent would not be required. These include ‘user-input’ session cookies to keep track of users’ input and menu choices, or to keep track of items placed in a shopping cart, and ‘authentication’ session cookies used to identify a user once he has logged in. The Opinion goes on to state that persistent ‘authentication’ or ‘user-input’ cookies would require user consent.
Other types of cookie which the Working Party indicates are likely to benefit from the criterion B exemption are ‘multimedia player’ session cookies used to store technical data required to play video or audio content, and ‘user interface customisation’ session cookies used to store users’ language and result display preferences.
The Working Party asserts that it is essential to examine what is necessary from the user’s perspective (not the web server’s perspective) when applying criterion B.
Social plug-in Cookies
The Opinion provides an analysis of social plug-in cookies. These are cookies used by social networks to allow their users to interact with other websites they visit, and share information with their ‘friends’. Cookies which allow logged-in users of a social network to ‘connect’ to that social network whilst on another platform would not require consent. The logic behind this analysis is that ‘many ‘logged in’ users expect to be able to use and access social plug-ins on third party websites’ and the cookies may therefore benefit from the criterion B exemption. The Opinion states that consent from non-members and logged-out members of social networks would be required.
Third-party analytics cookies and advertising cookies are unlikely to benefit from any exemption, including any cookies used for ‘frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging’. The Working Party does, however, state that first-party analytics cookies are unlikely to create a privacy risk provided the use of such cookies is limited to aggregated statistical analysis and there are safeguards in place such as an opt-out from data collection, and anonymisation mechanisms to ensure that no identifiable information is stored (such as IP addresses). Although such first party analytics cookies would not benefit from either of the existing exemptions, the Working Party does indicate that an exemption for such cookies should be included in any future amendments to the E-Privacy Directive.
The Opinion also concludes that first-party session cookies are more likely not to need consent than third-party persistent cookies.
The full Article 29 Working Party Opinion can be accessed here.