Cookie rules are defined in the e-Privacy Directive 2002/58/EC, as amended by the 2009 Citizens’ Rights Directive, in Article 5 that regulates confidentiality of communications. Electronic communication service providers should not listen, tap, store or carry out any other form of surveillance without obtaining users’ prior informed consent.
The same rule applies to the storage of information or the access to the information already stored on users’ devices, unless one of the following exemptions apply:
- storage or access is necessary for the sole purpose of carrying out the transmission of a communication or
- storage or access is strictly necessary for an electronic service provider to provide a service requested by the user. Only in these limited cases is users’ prior consent not required, which in effect triggered a flood of cookie pop-ups across European websites.
Directives are not directly applicable in the EU Member States; they serve as basis that commonly define minimum standards to be implemented into a national law. Each Directive thus ends up being implemented into 28 legal systems that regulate the issue in question in each Member State. To spice up a maze of the EU privacy rules, there are national and the EU regulators. In case of cookies, the EU regulator Working Party 29 (WP29) and some national Data Protection Authorities (DPAs), such as the UK Information Commissioners Office (ICO) or Slovenian Information Commissioner (IP), came up with their own guidelines on the implementation of the EU cookie rules.
- A company can obtain consent after they have specified the purpose of placing a cookie and have informed users on these purposes. Commonly, we can see this information placed in distinctive banners across websites.
- It is important that a company does not place a cookie and start with data processing before users have expressed their consent.
- Users’ consent should be unambiguous. Companies should ensure that consent reflects the real intention of data subject and should consist of an active behavior of the user. Typically, users have to select “I agree” choice on a website dialogue that serves as a consent mechanism.
- WP29 pointed out that companies should give users a meaningful choice to decide on which cookies they wish to accept: (a) all cookies, (b) some cookies, (c) no cookies. Users should also be given a possibility to change the cookie setting afterwards.
The above cookies rules do not apply when the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. When deciding whether the exemption to the cookie rules applies, the WP29 takes into account the following characteristics:
a. Session or persistent cookies
For a cookie to be exempted from the cookie rules, it is essential that it expires after the purpose of its placement is exhausted. This means that session cookies are more likely to be exempted from the cookie rule than persistent cookies. In a recent study, the ICO has discovered that “the average cookie is set to expire after one to two years but some cookies were being set for as long at 10, 100 or even nearly 8000 years.”
b. First party or third party cookies
A first party cookie is a cookie placed by a visited website and a third party cookie is a cookie placed by a distinct website. Usually, third party cookies are not strictly necessary for a service to be provided. Such cookies often have no relation to the service provided; hence it is also rare that they would be specifically requested by users. Therefore, third party cookies are less likely to be exempted from the cookie rules than first party cookies.
Read more about regulatory updates in personal data protection in the world of Big Data, IoT and the Cloud on our White Paper portal.