Article 29 Data Protection Working Party, Opinion 04/2012 on Cookie Consent Exemption

From the Opinion’s introduction

Article 5.3 of Directive 2002/58/EC, as amended by Directive 2009/136/EC has reinforced the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s (or subscriber’s) terminal device. The requirement applies to all types of information stored or accessed in the user’s terminal device although the majority of discussion has centred on the usage of cookies as understood by the definition in RFC62651. As such, this opinion explains how the revised Article 5.3 impacts on the usage of cookies but the term should not be regarded as excluding similar technologies.

Article 5.3 allows cookies to be exempted from the requirement of informed consent, if they satisfy one of the following criteria:

CRITERION A: the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.

CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.

While the requirements for informed consent were already examined in detail by the Working Party in two Opinions2, this document is designed to analyze the exemptions to this principle, in the context of cookies and related technologies.

This analysis is conducted without prejudice to the right to be informed and the eventual right to oppose set forth by Directive 95/46/EC, which apply to personal data processing whether cookies are used or not.

Related material

The full text is available at…                   Open Pdf