Cookies are making headlines in Europe recently. In this blog we will have a closer look at the situation of France, Germany, Italy and the UK, focusing on information to users, users’ consent and consequences of violations.
What is a cookie? “A cookie is a small piece of data that a website saves on your computer or mobile device when you visit the site”. The cookie enables the website to remember your actions and preferences (such as login, language, and font size) over time (definition by the EU Commission, see here.)
Cookies are used for a variety of reasons such as to identify users, to remember users’ custom preferences, to help users browsing from one page to another, to target online advertising. Cookies can be classified by their lifespan and the domain to which they belong (see here).
EU cookie law
The relevant EU legislation on cookies is the following:
1) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. The Regulation sets forth specific legal obligations concerning the protection of personal data and their processing. It also requires websites to inform users that cookies are not being used to gather unnecessary information.
WP29 has elaborated on the definition of “consent”. Opinion 15/2011. The Opinion provides a thorough analysis of the concept of “consent” as used in the Data Protection Directive and in the e-Privacy Directive.
To be true, not all cookies require consent according to EU law. Consent is not required if the cookie is:
- used for the sole purpose of carrying out the transmission of a communication, and
- strictly necessary to provide the service explicitly required by the user.
The following cookies are also exempt from consent (see WP29 Opinion 04/2012 on Cookie Consent Exemption):
- user-input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, and the like, which typically last for the duration of a session or a few hours;
- authentication cookies, to identify the user once he has logged in, for the duration of a session;
- user-centric security cookies, used to increase the security of the service requested by the user. These cookies are expected to have a longer lifespan than authentication cookies;
- multimedia content player cookies, used to store technical data to play back video or audio content for the duration of a session;
- load-balancing cookies, which are necessary to carry out the communication over the session – they expire at the end of the session;
- user-interface customization cookies such as language or font preferences; they last for the duration of a session (or slightly longer);
- third-party social plug in content sharing cookies, for logged-in members of a social network to allow them to share contents.
More information on cookie law in Europe is available at http://cookiepedia.co….