New guidance on cookies that are exempt from consent requirements

The Article 29 Working Party, a grouping of representatives from the various national privacy regulators in Europe, today published an opinion on the “essential cookies” exemption under the cookie law.

Opinions of the Article 29 Working Party have no legal effect, but do represent the joint thinking of the national regulators and in turn can often influence the future direction of European data protection law, and may assist organisations currently grappling with the cookie law.

The law
Under the revised law, the requirements in relation to consent do not apply to cookies that:

  • are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • are strictly necessary in order for the provider of an information society service [essentially a website] explicitly requested by the subscriber or user to provide the service.
  • As readers will know from previous Techblog posts, neither the UK implementing regulations or the original directive give much further guidance on what falls within the “strictly necessary” category.

    Accordingly, the Working Party has published its opinion on what it thinks the law is. In addition to listing examples of cookies that are or are not essential (and therefore exempt from the consent requirement), the guidance also analyses factors such as whether the cookie is first and third party, and whether it is as session cookie or persistent. The opinion notes that fact a cookie is third party or persistent is not necessarily fatal to it being “essential” – for example, it may be appropriate for a cookie to persist for a reasonable period of time following the user leaving the website.

    Cookies that are essential
    The opinion lists the following types of cookies as potentially being exempt:

    • user input cookies – cookies used to keep track of a user’s input. For example, the completion of a multi-page form, or a shopping basket on an e-commerce website.
    • authentication cookies – cookies used to identify a use once he has logged in to a website. But cookies used to “remember me” to avoid the need to log in for future visits are not considered “essential.”
    • user-centric security cookies – for example cookies used to detect the number of failed log-ins to a service specifically requested by a user.
    • multimedia player session cookies – cookies used to store technical information (for example network speed, quality and buffering) needed to play video or audio content requested by the user. This might include Flash cookies.
    • load balancing session cookies used to manage server load balancing. This would fall within the first bullet above (the transmission of a communication).
    • UI customisation cookies – cookies used to remember preferences specifically set by a user (for example, language or display preferences set using a button or tick box) and not linked to other data such as the user’s username. The guidance is slightly contradictory here, but it appears to suggest that if the customisation applies longer than the session then he opinion states that consent is required, but this could be done by including a “uses cookies” message next to the button or tick box.
    • social media content sharing cookies – cookies used by social media plug-ins to identify users that are logged in to social media networks and which are used to enable them to share content using that social media network. These cookies should only persist for so long as the user is logged in or “close his browser” (it’s not clear how this equates with a user that asks the social media network to “remember me”), and the exemption will not apply where that cookie is dropped onto the device of a user who is not logged in.

    In each of these cases, the exemption is dependant upon cookie not persisting for longer than necessary and the cookie not also being used for other purposes.

    Cookies that are not essential
    The opinion also lists a number of cookies that, in the eyes of the Article 29 Working Party, are not essential:

    • social plug-in tracking cookies – cookies used to track the activity of logged in users of social networks (for example, for the purposes of targeted advertising, or analytics etc).
    • third party advertising – unsurprisingly, cookies used for third party advertising (that is, advertising served by a domain outside the website in question) are not considered essential. The Working Party is lobbying to ensure that all such cookies are included in the W3C.
    • first party analytics – the opinion confirms the Working Party’s view that first party Analytics cookies (for example, those used for Google Analytics) are not essential and therefore require consent.

    As I noted at the outset of this blog, the Working Party’s opinions have no legal standing, but some of the types of cookies listed as falling within the exemption, and the comments on assessing whether or not a cookie is likely to fall within the exemption should give web site operators some assistance when determining how to implement the changes necessary for their websites. As with the ICO’s recent updated guidance, it’s just a shame that this guidance wasn’t available in the run up to 26 May.

    3 Responses to “New guidance on cookies that are exempt from consent requirements”

    1. 1 Cherenkin November 3, 2012 at 12:46 pm

      What about server side session cookies (PHP, ASP, JS). Actually they are essential for the transmission of a communication in my opinion, but never found any clear information if they are essential (Strictly necessary) or not…
      Thank you for summarizing and clearing a lot of questions in my head

    2. 2 charity advisor July 2, 2012 at 6:26 pm

      Thanks for this useful summary. Should a website still inform users about the presence of cookies that fall within the exception, or can it remain completely silent about them? My reading of regulation 6 suggests that there is no requirement to mention ‘strictly necessary’ cookies at all, but I haven’t scrutinised the rest of the regs, and in any case it may be considered best practice for the cookie policy to include information about all cookies, even ones that can be set without consent. Thanks in advance.

      • 3 martinsloan July 3, 2012 at 12:08 pm

        @charity advisor – thanks for your comment.

        You are correct – the exemption in relation to strictly necessary cookies means that neither the requirement to obtain consent nor the obligation to provide information apply. This is confirmed in the ICO’s guidance.

        However, I think it makes sense to still explain to website users in a cookies policy which cookies you consider fall within the exemption. Being open about the use of cookies should help to overcome some of the common misconceptions amongst users that all cookies are bad, which in turn should allow users to make a more informed decision about other cookies used on a website.

    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    Twitter: @BrodiesTechBlog feed

    June 2012
    M T W T F S S
    « May   Jul »

    %d bloggers like this: