From the Opinion’s introduction
Article 5.3 of Directive 2002/58/EC, as amended by Directive 2009/136/EC has reinforced the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s (or subscriber’s) terminal device. The requirement applies to all types of information stored or accessed in the user’s terminal device although the majority of discussion has centred on the usage of cookies as understood by the definition in RFC62651. As such, this opinion explains how the revised Article 5.3 impacts on the usage of cookies but the term should not be regarded as excluding similar technologies.
Article 5.3 allows cookies to be exempted from the requirement of informed consent, if they satisfy one of the following criteria:
CRITERION A: the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.
CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.
While the requirements for informed consent were already examined in detail by the Working Party in two Opinions2, this document is designed to analyze the exemptions to this principle, in the context of cookies and related technologies.
This analysis is conducted without prejudice to the right to be informed and the eventual right to oppose set forth by Directive 95/46/EC, which apply to personal data processing whether cookies are used or not.
- Data Protection Directive 95/46/EC
- WP29, Opinion 2/2010 on “online behavioural advertising”
- WP29 Opinion 16/2011 on “the EASA/IAB Best Practice Recommendation on online Behavioural advertising”