The e-Privacy Directive’s provisions on cookies exempt two classes of cookies from the requirement to gain consent (though if they relate to individual users, websites still need to inform users about them, under data protection law):
CRITERION A: the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.
CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”
The Article 29 Working Party has now provided very detailed interpretations of a number of common cookie functions and whether they are likely to be covered by those exemptions. I don’t think any of the outcomes are surprising if you’ve been reading the Information Commissioner’s guidance, but it’s helpful to have this clear statement of both the guidance and the legal reason for it.
It’s well worth reading the document, as the analysis will only apply where a cookie is only used for that specific purpose and where its lifetime is kept to the minimum necessary, and there may be other restrictions. My summary is as follows:
- User-input cookies (e.g. shopping carts): probably exempt under Criterion B (but note comments on cookie lifetime);
- Authentication cookies: probably exempt under Criterion B if used within a single browser session; need to warn the user beforehand (i.e. get implied consent) if the cookie will persist across browser sessions;
- User-centric security cookies (e.g. to detect repeated login failures): may be exempt under Criterion B, but need to check specific details;
- Multi-media Player Session Cookies: probably exempt under Criterion B, but make sure they aren’t used for other purposes;
- Load-balancing Session Cookies: probably exempt under Criterion A;
- UI Customisation Cookies: short-lifetime cookies probably exempt under Criterion B, for longer lifetimes obtain implied consent as for authentication cookies;
- Social Plug-in Sharing Cookies: may be exempt under Criterion B, but only if they are restricted to logged-in users and limited to a session;
Social plug-in tracking cookies and advertising cookies are explicitly said to not be exempt, and the Working Party stress that this includes cookies that are used only to collect profiling information but do not display adverts to the current user.
Finally, and apparently with considerable regret, the Working Party conclude that first-party analytic cookies are not covered by either exemption. However:
the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.
There’s even a suggestion that when the Directive is next revised
the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes