Cookie rules are defined in the e-Privacy Directive 2002/58/EC, as amended by the 2009 Citizens’ Rights Directive, in Article 5 that regulates confidentiality of communications. Electronic communication service providers should not listen, tap, store or carry out any other form of surveillance without obtaining users’ prior informed consent.
The same rule applies to the storage of information or the access to the information already stored on users’ devices, unless one of the following exemptions apply:
- storage or access is necessary for the sole purpose of carrying out the transmission of a communication or
- storage or access is strictly necessary for an electronic service provider to provide a service requested by the user. Only in these limited cases is users’ prior consent not required, which in effect triggered a flood of cookie pop-ups across European websites.
Directives are not directly applicable in the EU Member States; they serve as basis that commonly define minimum standards to be implemented into a national law. Each Directive thus ends up being implemented into 28 legal systems that regulate the issue in question in each Member State. To spice up a maze of the EU privacy rules, there are national and the EU regulators. In case of cookies, the EU regulator Working Party 29 (WP29) and some national Data Protection Authorities (DPAs), such as the UK Information Commissioners Office (ICO) or Slovenian Information Commissioner (IP), came up with their own guidelines on the implementation of the EU cookie rules.
So far, WP29 has issued two opinions on the use of cookies that focus on (1) obtaining a valid consent from users and (2) exemption to the cookie rules. When seeking users’ consent on the use of cookies, business should pay attention to the following four elements:
- A company can obtain consent after they have specified the purpose of placing a cookie and have informed users on these purposes. Commonly, we can see this information placed in distinctive banners across websites.
- It is important that a company does not place a cookie and start with data processing before users have expressed their consent.
- Users’ consent should be unambiguous. Companies should ensure that consent reflects the real intention of data subject and should consist of an active behavior of the user. Typically, users have to select “I agree” choice on a website dialogue that serves as a consent mechanism.
- WP29 pointed out that companies should give users a meaningful choice to decide on which cookies they wish to accept: (a) all cookies, (b) some cookies, (c) no cookies. Users should also be given a possibility to change the cookie setting afterwards.
The above cookies rules do not apply when the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. When deciding whether the exemption to the cookie rules applies, the WP29 takes into account the following characteristics:
a. Session or persistent cookies
For a cookie to be exempted from the cookie rules, it is essential that it expires after the purpose of its placement is exhausted. This means that session cookies are more likely to be exempted from the cookie rule than persistent cookies. In a recent study, the ICO has discovered that “the average cookie is set to expire after one to two years but some cookies were being set for as long at 10, 100 or even nearly 8000 years.”
b. First party or third party cookies
A first party cookie is a cookie placed by a visited website and a third party cookie is a cookie placed by a distinct website. Usually, third party cookies are not strictly necessary for a service to be provided. Such cookies often have no relation to the service provided; hence it is also rare that they would be specifically requested by users. Therefore, third party cookies are less likely to be exempted from the cookie rules than first party cookies.
National DPAs are responsible to oversee the implementation of cookie rules into national practice and have the authority to fine business that violate these laws. WP29 has, together with some national DPAs reviewed whether businesses follow the rules of e-Privacy Directive on the use of cookies. Together they reviewed 478 websites in eight EU Member States and published the results in an analysis.
The results show that, on average, each website visited place 35 cookies. 30% of those cookies are commonly first party cookies, the rest are third party cookies. Most websites placed persistent cookies. The results also show that the majority of websites provided information on the use of cookies. Websites provide information either by a permanent banner or a banner which disappeared on the next user click, or by a banner which disappeared after a set period of time. Most cookies that were investigated expired after less than two years, however some websites place cookies that expire after more than 68 years.
The industry has kept pointing out the issues with practical implementation of Article 5(3). Although the Directive seeks to harmonize the rules across the EU, the implementation of said provision varies across Member States. Whereas national DPAs have issued different guidelines on the correct application of the cookie rules, some DPAs have not provided any guidance at all. Companies therefore face difficulties when trying to comply with the cookie rules in several Member States. Furthermore, the cookie consent requirement is not tailored for the implementation within all business models. For example, service providers that do not have a direct contact with end-users do not have any direct means of obtaining consent from them. Thus, companies have already started thinking about refraining from the use cookies and use new technologies instead.
In our January technology and regulation update we have already addressed device fingerprinting solution, which can be seen as an alternative to the use of cookies. Business that are considering such technologies should keep in mind that the WP29 interpreted in the Opinion on Device Fingerprinting that cookie rules should also apply to ‘similar technologies’.
Read more about regulatory updates in personal data protection in the world of Big Data, IoT and the Cloud on our White Paper portal.
