Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Tuesday, June 12, 2012

Article 29 Working Party Publishes Opinion on Exemptions for Cookies

by Mehmet Munur

The Article 29 Working Party published an opinion (WP194) today on the exemptions to the consent requirement for cookies or similar technologies under the revised E-Privacy Directive. The Working Party elaborated on types of cookies that may not require consent under certain circumstances, such as cookies that track user’s input on forms or shopping carts and cookies that store users’ language preference. Most importantly, the Working Party stated that first-party analytics cookies are not likely to create privacy risks when they are strictly limited to first-party aggregated statistical purposes, provide clear notice about these cookies in their privacy policy, and provide adequate privacy safeguards. While the Working Party deems such cookies not to be strictly necessary for the operation of a website, they also admit that the privacy risks are limited when they are configured properly.

The Working Party elaborated on the two exceptions to consent under Article 5.3 of the amended E-Privacy Directive 2009/136/EC. Under the Directive, service providers may only store information, or gain access to information already stored, on equipment if the user has given consent after having been provided with clear and comprehensive notice. The first exception to the consent requirement is information stored for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The second exception to the consent requirement is information strictly necessary for provision of services explicitly requested by the user.

With regard to in construing the first exception, the Working Party stated that the following elements may be helpful:

1) The ability to route the information over the network, notably by identifying the communication endpoints.
2) The ability to exchange data items in their intended order, notably by numbering data packets,
3) The ability to detect transmission errors or data loss.

Therefore, cookies or similar technologies that fall in any of the above criteria should satisfy the exception to the consent requirement.

With regard to construing the second exception and due to the complexities in what constitutes the service, the Working Party stated that the following elements should be met:

1) A cookie is necessary to provide a specific functionality to the user (or subscriber): if cookies are disabled, the functionality will not be available.
2) This functionality has been explicitly requested by the user (or subscriber), as part of an information society service.

The Working Party then moved to the terminology relating to cookies and created some distinctions between session cookies, persistent cookies, first-party cookies, and third-party cookies. Importantly, the Working Party stressed that they would be moving away from the distinction between first-party and third-party cookies as used in the browsers. Most web browser settings would classify a cookie placed on a user’s device by the domain visited by the user as a first-party cookie and any cookie placed by another domain as a third-party cookie. The Working Party uses a slightly different definition. Using the definition of the third-party under the Directive to state that cookies that are placed on a user’s device “to describe cookies that are set by data controllers that do not operate the website currently visited by the user.” On the other hand, first-party cookies “refer to a cookie set by the data controller (or any of its processors) operating the website visited by the user, as defined by the URL that is usually displayed in the browser address bar.”

In order to determine whether the cookie is strictly necessary, the service provider must determine the lifespan of the cookie, whether it is session based or persistent, and the purposes of the processing. Therefore, the Working Party creates a continuum where first-party session cookies may be strictly necessary whereas third-party persistent cookies may not be. However, the Working Party stresses that these distinctions must be used in conjunction with the purposes of the cookies in order to determine whether consent is required.

The Working Party then discussed different examples of cookie use scenarios that may be exempt from the consent requirements. 

User Input cookies: Looking at session cookies that track user’s inputs on a webpage, the Working Party stated that these cookies would likely not require consent.
Authentication cookies: The Working Party came to a similar conclusion for sessions based authentication cookies. However, persistent cookies for logins would require consent.
User centric security cookies: User centric and user requested security cookies, for example those related to log in attempts, would also not require consent. However, this may not be the case for other cookies relating to the security of the website.
Multimedia player sessions cookies: Default flash player cookies may also not require consent to the extent they relate to technical data such as image quality, network link speed and buffering parameters. However, they should be session cookies.
Load balancing session cookies: Sessions based cookies used to balance users across different servers is likely not to require consent, either.
UI customization cookies: Session or persistent cookies relating to the user’s preference over language or appearance may also not require consent, mostly because the user shows his preference by clicking on a box or link to set these preferences. However, notice relating to the use of cookies may be required for persistent cookies.
Social plug-in cookies: The Working Party states that consent may be required from users who are not logged into the service or are not customers of the service. However, consent may not be required for users that are logged in and are requesting the service.

In addition to the above examples relating to the exempt cookies, the Working Party stated that the following cookies would not be exempted from the consent requirement: social plug-in tracking cookies, third-party advertising cookies, and first-party analytics cookies. To the extent that these cookies are used for the tracking of the individual, consent would be required. With regard to the first-party analytics cookies, the Working Party stated that these cookies “are not likely to create a privacy risk when they are strictly limited to first-party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards.” These safeguards should include a method for opting out and anonymization of identifiable information such as IP addresses. Therefore, first-party analytics cookies with the appropriate privacy controls would likely not require consent even though they are not in an exempted category. The Working Party notes, however, that the privacy risks relating to third-party analytics cookies that track users across websites are higher and would require consent.

This opinion from the Working Party opinion falls in line with the latest opinions from the UK ICO and the CNIL. The ICO and the Working Party appear to have taken a step back from the strict interpretation of the amended E-Privacy Directive that would require informed consent even for first-party analytics. In fact, the Working Party now calls for a revision of the Directive to explicitly allow for

This long awaited opinion from the Working Party brings some more detail around the difficult challenges faced by most companies in complying with the revised E-Privacy Directive. It does not negate the need to conduct audits and due diligence relating to cookies and similar technologies used by companies. It does, however, make first-party analytics cookies easier to implement.

Labels: , , , ,


Anonymous Hugh said...

This is cool!

2:54 AM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home