Article 29 Working Party Outlines Common Cookies That Don’t Require Consent

As many who follow European privacy developments are aware, the European Union established a “working party” to study various aspects of data privacy regulations. That Working Party recently examined the application of much-discussed “cookie consent exemptions” contained in Article 5.3 of Directive 2009/136/EC. (The Directive requires obtaining affirmative, prior consent before setting cookies on user’s computers. There are some exceptions under the Directive, namely where (1) the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network,” or (2) the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”) The Working Party’s recent opinion discusses when those exceptions apply. According to the Working Party, to determine if the exceptions apply, companies should look at the cookie’s purpose and the specific implementation or process the cookie achieves. Since it is possible to use cookies for several purposes, these multi-function cookies may only be exempt from user consent if all the purposes for which they are used are exempted. The Working Party also stressed in its opinion that cookies necessary for the transmission of an electronic communication must be cookies without which the communication would not occur. They cannot be cookies that merely “assist” a communication that would otherwise occur without the cookie. Additionally, the Working Party indicated that cookies should expire once they are not needed, which (for exempt cookies) should be at the end of a session, or even earlier. Thus so-called “zombie cookies” that remain on a user’s computer despite reasonable attempts to remove them are unlikely to be exempted from consent under any circumstances. But, the Working Party concluded, certain cookies may likely be exempt if used as described in the opinion. These include (inter alia)the following, if used only during a particular user session: 1) session ID cookies; 2) authentication cookies used for authenticated purposes; 3) user-centric security cookies used to identify “authentication abuses;” 4) multimedia content player cookies; or 5) social media “sharing” cookies, used with logged-in members of a social network.

Tip: While this opinion is advisory and does not reflect how the Directive has been implemented into law in specific EU Member States, it will likely be looked at by those countries with deference. As such, its outline of when consent is not necessary can be useful as companies subject to EU laws analyze their obligations to obtain consent for using cookies on their websites.