The Article 29 Data Protection Working Party has recently released an opinion on the EU Cookie Directive [http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf]. The Article 29 Working Party is an independent advisory body including members from the states’ data protection authorities and the European Commission. While the Article 29 Working Party’s guidance is not binding, it does provide a consensus opinion of the European data protection authorities, and the opinion is therefore highly instructive for companies operating in Europe.
In the opinion, the Working Group considers what types of cookies may be exempt from the consent requirement under the Directive. The Directive explicitly provides for two types of exceptions:
A. if the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network,” or
B. if the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
The opinion explains that Criterion A exceptions might occur when the sole purpose of the cookie is to route information over a network, to exchange data items in their intended order, or to detect transmission errors or data loss. Criterion B exceptions require that the cookie is necessary to provide specific functionality to the user and the functionality is one that the user has explicitly requested as part of its use of the information service.
The Working Group notes that in general, first party cookies, meaning those set by owners of the site the user is currently visiting, and cookies whose lifespan is directly proportional to their purpose, most likely session cookies, are more apt to fall into an exemption. However, the opinion counsels that it is necessary to understand the specific purpose and implementation of a cookie in order to understand whether it falls into an exemption under Criterion A or B. Additionally, multipurpose cookies must be considered under each of their purposes and uses.
The opinion provides certain examples of likely exempt cookies. Cookies likely to be exempt under Criterion A include load balancing cookies for the duration of the session (to allow processing of web server requests). Cookies likely to be exempt under Criterion B include: user input cookies for the duration of a session or for a few hours (such as cookies that allow users to fill an online shopping basket); authentication cookies for the duration of a session (such as for online banking); user centric security cookies for a limited persistent duration (such as to detect login/authentication abuses); multimedia player session cookies for the duration of the session (such as Flash cookies to allow video content); user information customization cookies for the duration of the session (such as to set a language preference); and social plug-in content sharing cookies if the social network-user is logged in. The opinion notes that for some of these types of cookies, such as authentication cookies, the need for an exemption could be avoided and a cookie could be set to be for an even longer duration through the common method of having the user check a box stating “remember me (uses cookies).” Such a feature would provide adequate consent and negate the need for an exemption.
On the other hand, the opinion explains that social media plug-in cookies are likely not exempt if they are following non-members or members who are logged out, or if they are tracking cookies providing behavioral advertising, analytics, or market research. Additionally, cookies would not be exempt if they relate to third party advertising such as frequency capping, financial logging, affiliation, click fraud detection, research and market analysis, product improvement and debugging.
Lastly, the Working Group notes that cookies used for first page analytics, such as to monitor unique website visitors, are likely not exempt under either Criterion A or B. However, the opinion explains that if this data is only used for aggregated statistical purposes and is anonymized, it likely does not pose a large privacy risk. The opinion suggests that if the Directive is revisited, this could be a useful exemption.
Companies subject to the European Directive should carefully consider all of the purposes and functions of their cookies. When analyzing the Criterion B exemption, companies should bear in mind what the user would think is strictly necessary for the service, not what the service provider thinks is strictly necessary. If a company is in any doubt about whether a cookie falls into an exemption, it is advisable to gain consent from the user. While the opinion does not explicitly define what constitutes adequate consent, it does give examples of adequate consent such as users clicking boxes indicating they want to be remembered/allow cookie use, and advises that companies should consider simple and unobtrusive ways to gain user consent.