IP, Technology & Data

The Article 29 Working Party, a grouping of representatives from the various national privacy regulators in Europe, today published an opinion on the “essential cookies” exemption under the cookie law.

Opinions of the Article 29 Working Party have no legal effect, but do represent the joint thinking of the national regulators and in turn can often influence the future direction of European data protection law, and may assist organisations currently grappling with the cookie law.

The law
Under the revised law, the requirements in relation to consent do not apply to cookies that:

  • are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • are strictly necessary in order for the provider of an information society service [essentially a website] explicitly requested by the subscriber or user to provide the service.

As readers will know from previous Techblog posts, neither the UK implementing regulations or the original directive give much further guidance on what falls within the “strictly necessary” category.

Accordingly, the Working Party has published its opinion on what it thinks the law is. In addition to listing examples of cookies that are or are not essential (and therefore exempt from the consent requirement), the guidance also analyses factors such as whether the cookie is first and third party, and whether it is as session cookie or persistent. The opinion notes that fact a cookie is third party or persistent is not necessarily fatal to it being “essential” – for example, it may be appropriate for a cookie to persist for a reasonable period of time following the user leaving the website.

Cookies that are essential
The opinion lists the following types of cookies as potentially being exempt:

  • user input cookies – cookies used to keep track of a user’s input. For example, the completion of a multi-page form, or a shopping basket on an e-commerce website.
  • authentication cookies – cookies used to identify a use once he has logged in to a website. But cookies used to “remember me” to avoid the need to log in for future visits are not considered “essential.”
  • user-centric security cookies – for example cookies used to detect the number of failed log-ins to a service specifically requested by a user.
  • multimedia player session cookies – cookies used to store technical information (for example network speed, quality and buffering) needed to play video or audio content requested by the user. This might include Flash cookies.
  • load balancing session cookies used to manage server load balancing. This would fall within the first bullet above (the transmission of a communication).
  • UI customisation cookies – cookies used to remember preferences specifically set by a user (for example, language or display preferences set using a button or tick box) and not linked to other data such as the user’s username. The guidance is slightly contradictory here, but it appears to suggest that if the customisation applies longer than the session then he opinion states that consent is required, but this could be done by including a “uses cookies” message next to the button or tick box.
  • social media content sharing cookies – cookies used by social media plug-ins to identify users that are logged in to social media networks and which are used to enable them to share content using that social media network. These cookies should only persist for so long as the user is logged in or “close his browser” (it’s not clear how this equates with a user that asks the social media network to “remember me”), and the exemption will not apply where that cookie is dropped onto the device of a user who is not logged in.

In each of these cases, the exemption is dependant upon cookie not persisting for longer than necessary and the cookie not also being used for other purposes.

Cookies that are not essential
The opinion also lists a number of cookies that, in the eyes of the Article 29 Working Party, are not essential:

  • social plug-in tracking cookies – cookies used to track the activity of logged in users of social networks (for example, for the purposes of targeted advertising, or analytics etc).
  • third party advertising – unsurprisingly, cookies used for third party advertising (that is, advertising served by a domain outside the website in question) are not considered essential. The Working Party is lobbying to ensure that all such cookies are included in the W3C.
  • first party analytics – the opinion confirms the Working Party’s view that first party Analytics cookies (for example, those used for Google Analytics) are not essential and therefore require consent.

As I noted at the outset of this blog, the Working Party’s opinions have no legal standing, but some of the types of cookies listed as falling within the exemption, and the comments on assessing whether or not a cookie is likely to fall within the exemption should give web site operators some assistance when determining how to implement the changes necessary for their websites. As with the ICO’s recent updated guidance, it’s just a shame that this guidance wasn’t available in the run up to 26 May.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me