On June 7, 2012, the Article 29 Working Party, an independent advisory body composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, issued Opinion 04/2012 regarding which types of cookies are exempted from the informed user-consent requirement under Directive 2002/58 of the European Parliament (the E-Privacy Directive).
Article 5.3 of the E-Privacy Directive requires that websites must obtain informed consent from users prior to storing cookies on users’ equipment. The E-Privacy Directive provides for two exemptions to this rule: (a) when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and (b) when the cookie is strictly necessary in order for the provider of an information society service explicitly requested by the user to provide the service.
With regard to the first exemption, the Opinion stresses its narrow scope: the words “sole purpose” mean that such cookies will be exempted only if they are strictly necessary for communication to take place over a network between two parties. The Opinion sets out three elements that can be considered as strictly necessary in this context: (1) the ability to route information over the network, (2) the ability to exchange data items, and (3) the ability to detect transmission errors or data loss.
The second exemption is broader in scope and the Opinion lists the following as definitive examples of when the exemption is applicable: “user input” cookies (shopping-cart cookies, for example), authentication cookies (used to identify the user once he/she has logged in to an online banking website, for example), security cookies designed to detect failed login attempts on a website, or multimedia player session cookies needed to play audio or video content. Companies must, however, keep in mind that a cookie may be stored under this exemption only if it is strictly necessary from the point of view of the user, not the service provider. Further, a cookie should have a lifespan that is in direct relation to the purpose for which it is needed; therefore, persistent cookies (cookies that remain stored in a user’s equipment after the user closes his browser) are less likely to be exempted.
The Opinion also specifies that neither third-party cookies used for behavioral advertising nor third-party tracking cookies used by social networks to collect data for behavioral advertising or market research are exempted from consent.
Finally, the Opinion concludes with some words of wisdom: where a doubt remains as to whether the cookie falls within an exemption, companies should seek consent from the user.