Article 29 Working Party Publishes Opinion on Exempted Cookies

The Article 29 Working Party has this week published an official EU wide opinion on the types of cookies that are exempted from the need for visitor consent.

The Article 29 group is an EU level advisory council made up of representatives of the data protection authorities from each EU member state.  This include the UK’s ICO.

Whilst their official opinions do not necessarily carry any legal weight – they are an important guide to how the EU Directive should be interpreted, and therefore what kind of regulatory stance individual countries should take in assessing compliance with the law.  Therefore it is important to take note of what they say.

The law has always allowed that certain types of cookies do not need visitor consent, for which there are two criteria, which the Working Party has labelled A and B:

Criterion A: the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.

Criterion B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.

What they have now done is provided some use case scenarios for certain types of cookies (and behaviours) that can be considered as exempted or not from the requirements to obtain consent.

Some of these use cases are obvious, and in line with what we have been advising customers already.  Things like login session cookies, user input cookies, user security cookies, load balancing and even video playback control cookies, can all be considered exempt from the need for consent.

However there are some interesting inclusions that bear closer examination.

UI customisation cookies
Cookies that remember settings that the user initiates to customise the site are exempted, but only if they are session cookies, and only if they are set as the result of a user interaction.

So lets say you have a cookie that determines text size.  The user can change the text size and this can be remembered using a session cookie, without consent. 

However,  the user would need to be told if that preference was stored in a persistent cookie – and their acceptance.  In addition, as often happens, if the cookie sets a default text size when the user arrives – this will need consent.

Social Plug-in cookies
This is a particularly interesting part of the opinion – given that these plug-ins are the most common form of third party functionality that a site would have – including on our own.

The general opinion seems to be that, if someone is logged into a social network, then uses a plug-in on another site to share content – consent is not required by either party, as long as the cookies are only for the purpose of sharing, and are session cookies.

Consent however is required if the cookies are used by the social network for other purposes like tracking and behavioural advertising.  They go on to state though that if such consent is obtained by the social network – and this is deemed to be valid, then the website using the plug-in still does not need to obtain consent.

Needless to say though, if the cookies are placed by the social network on the machine of a user who is not a member of that network (or not identified as such by having a valid log-in cookie to that network), then consent will be required for that to happen, whatever the purpose – and then of course it will be the responsibility of the site carrying the plug-in.

So where does that leave plug-ins such as the Facebook Like button?

It appears that if a user is not logged in to Facebook, and has not got any Facebook cookies on their machine – then there is no cookie activity that would require consent or otherwise.

However, if the user has got Facebook cookies (because they were previously logged in), then those cookies are retrieved by Facebook, even if the user is not currently logged in. And if the user is logged in – then a whole load more cookies get set as well.

Of course Facebook does not publicise how it uses particular cookies, so it is impossible to know which cookies of theirs require consent or not.  However given that many of these cookies are persistent, consent can be assumed to be required. And for a website owner – it is also impossible to know whether Facebook has obtained consent for those cookies (even ignoring the jurisdictional issues).

The safest option therefore would be to assume that consent is needed, and that the website carrying the Like button, should obtain that consent.  Of course it also follows that in the absence of consent, the Like button should not be used.

What this really highlights is the disconnect between the theory of the law and its practicalities. This opinion really just tells social media plug-in providers what they need to do to ensure their plug-ins become compliant and therefore enable site owners to be comfortable in their continued use .

Until they do that – site owners will need to continue to take responsibility for obtaining consent for such plug-ins  – as the last paragraph of the opinion states:

“After a careful examination, if substantial doubts remain on  whether or not an exemption criterion applies, website operators should closely examine if there is not in practice an opportunity to gain consent from users in a simple unobtrusive way, thus avoiding any legal uncertainty.”