Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Article 29 Working Party Publishes Guidance On Cookie Rule Exemptions

Posted in European Union, International

On Tuesday, June 12, the Article 29 Working Party (WP29), a group of European data protection authorities, published an opinion on the exemptions available to the new cookie rules introduced by the revised EU ePrivacy Directive.  The opinion provides guidance on the implementation of the available exemptions to the requirement to obtain internet users’ informed consent for the use of cookies.  Specifically, the WP29 explained the criteria for relying on one of the two available exemptions: 

  • A user’s informed consent is not required where the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.  In other words, the transmission of the communication must not be possible without the use of the cookie.  Simply using a cookie to assist, speed up or regulate the transmission of a communication over an electronic communications network is not sufficient.   
  • A user’s informed consent is not required where the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.  There must be a clear link between the strict necessity of the cookie, i.e., that the service would not work without the cookie, and the delivery of the service explicitly requested by the user.  The key is to examine what is strictly necessary from the view of the user, not the service provider.

 

The WP29 emphasizes that the purpose of the cookie is key in determining whether one of the two exemptions apply, although generally first party session cookies are far more likely to be exempted from the consent requirement than third party persistent cookies.  Further, the WP29 highlights that where a cookie is used for several purposes, it is only exempted from consent if all the distinct purposes fall within the scope of an exemption. 

The WP29 concludes that the following cookies can be exempted from informed consent, under certain conditions, if they are not used for additional purposes: 

  • “User-input” cookies.  First party user input session cookies, such as those keeping track of a user’s input when filling online forms, are exempted.  Persistent cookies limited to a few hours may also be exempted in some cases.
  • Authentication session cookies.  Session cookies used to identify a user once he has logged in (e.g., on an online banking website) may be exempted.  For persistent login cookies, users’ consent (e.g., via a “remember me (uses cookies)” checkbox) should be obtained.
  • User-centric security cookies.  An exemption may be available for cookies used to detect repeated failed login attempts or other similar mechanisms designed to protect the login system from abuses. 
  • Third-party social plug-in content sharing cookies.  The WP29 distinguishes between users who have “logged-in” to a particular social network account and “non-logged-in” users who are either not members of that the social network or have “disconnected” from their account.  An exemption for consent is only available to the former.  The WP29 emphasizes that even as regards “logged in” users, the exemption is only available for session cookies that expire when the user logs-out of the social network or the browser is closed.
  • Multimedia player session cookies.  Cookies which store technical data needed to play back audio or video content, such as flash player cookies, may benefit from an exemption.
  • Load balancing session cookies.  Session cookies which allow the distribution of the processing of web server requests over a pool of machines are exempted.
  • User Interface (UI) customization cookies.  UI customization cookies, which store a user’s preference regarding a service across web pages, such as language preference, are explicitly enabled by the user.  Session cookies storing such information are exempted.

The WP29 opinion also specifically discusses cookies which do not benefit from any consent exemptions:

  • Social plug-in tracking cookies.  Where social plug-in cookies also track individuals for additional purposes such as behavioural advertising, they can no longer be deemed to be “strictly necessary” to provide a functionality explicitly requested by the user and cannot benefit from an exemption.  The WP29 considers it to be unlikely that there is any legal basis for social networks to collect data through social plug-ins about non-members of their network and states that by default social plug-ins should not set a third party cookie in pages displayed to non-members.
  • Third-party advertising cookies.  Third party cookies used for behavioural advertising are not exempt from consent.  Consent is also required for all related third party operational cookies used in advertising including cookies used for purposes such as financial logging and click fraud detection. 
  • First-party analytics cookies.  These cookies do not fall under any exemption but the WP29 considers that they are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and are used by websites that already provide adequate privacy safeguards and clear information about such cookies in their privacy policy.  The WP29 proposes that European legislators introduce a further exemption for such cookies in the future.