Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On 7 June 2012, the Article 29 Data Protection Working Party issued an opinion on cookie consent exemptions. The Directive 2009/136/EC, amending Directive 2002/58/EC, introduced an opt-in regime which requires providers to request that users grant their consent to the use of cookies, as opposed to the regime under which users are given the opportunity to opt-out.
Article 5.3 of the revised e-Privacy Directive 2002/58/EC provides two exemptions to the requirement of informed consent:
· when the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” ("Exemption A"), or
· when the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”("Exemption B").
The Working Party, in its opinion 4/2012 of 7 June 2012, clarified the meaning and the application of these exemptions.
The main guidelines drawn from the opinion can be summarized as follows:
· With regard to Exemption A, the "sole purpose" requirement should be interpreted in the sense that the transmission of the communication must not be possible without the use of the cookie. Thus, cookies used to assist, speed up or regulate such transmission shall require users’ consent. The Article 29 Working Party said that only ‘load balancing session cookies’, that allow processing of web server requests to be spread over a number of computers, clearly would not require consent under the ‘transmission’ exemption.
· With regard to Exemption B, the two criteria to take into account are: (i) the service has been explicitly requested by the user who undertook "positive action" to request the service; and (ii) cookies are strictly needed to enable the service (i.e. if cookies are disabled, the service will not function) taken from the user’s "point of view".
After classifying cookies into "session cookies", "permanent cookies", "first party cookies" and "third party cookies", the Working Party has stated that the actual purposes, implementation or processing carried out by the cookies shall ultimately be used to determine whether or not the latter falls into one of the abovementioned Exemptions A and B.
Based on the above, the Working Party provides a list of the types of cookies that may be exempted from the informed consent requirement, provided they are not used for additional purposes and under certain conditions:
· User input cookies (session-ID), for the duration of a session or persistent cookies limited to a few hours in some cases;
· Authentication cookies, used for authenticated services, for the duration of a session;
· User centric security cookies, used to detect authentication abuses, for a limited persistent duration;
· Multimedia content player session cookies, such as flash player cookies, for the duration of a session;
· Load balancing session cookies, for the duration of a session;
· UI customization persistent cookies, for the duration of a session (or slightly more);
· Third party social plug-in content sharing cookies, for logged-in members of a social network only.
On the contrary, according to the Working Party, the following cookies are not covered by the abovementioned exemptions, and as such shall require prior opt-in consent:
· Social plug-in tracking cookies;
· Third party advertising cookies, including those used for operational purposes. In this regard, the Working Party refers to the on-going work carried out by the World Wide Web Consortium on "Do Not Track" mechanisms;
· Third Party and first party analytics cookies. However, the Working Party acknowledges that they carry low privacy risks when they are limited to first party aggregated statistical purposes and when they are used by websites that provide adequate privacy safeguards, such as offering clear information in their privacy policy, user friendly opt-out mechanisms and anonymization mechanisms. The Working Party has also suggested to exclude these cookies from the consent requirement should article 5.3 be revisited in the future. This approach appears consistent with the position of the French Data Protection Authority ("CNIL"), according to which first party web analytics cookies do not require express consent.
It is worth noting that the opinion does not deal with the tricky issue of how to obtain consent, but rather refers to the Woking Party’s prior opinions on consent (n. 2/2010 and 16/2011), as well as the "Do Not Track" mechanisms’ project. It merely hints at the fact that a single point of information and consent, when presented in a clear and comprehensive manner, should prove sufficient in most cases.
Finally, please note the Working Party is a mere consultation body of the EEA Commission and its opinions do not produce any effect vis-à-vis third parties. However, this opinion (as integrated by the "Do Not Track" mechanisms) will most likely be used by national privacy authorities in implementing their guidelines on the matter.
Authored by Marco Berliri, Massimiliano Masnada, and Marta Colonna.