Francesca Giannoni-Crystal, Federica Romanelli, Cookie rules or cookies rule? EU law and the situation in France, Germany, Italy, and the UK. Part One

Cookies are making headlines in Europe recently. In this blog we will have a closer look at the situation of France, Germany, Italy and the UK, focusing on information to users, users’ consent and consequences of violations.

What is a cookie?A cookie is a small piece of data that a website saves on your computer or mobile device when you visit the site”. The cookie enables the website to remember your actions and preferences (such as login, language, and font size) over time (definition by the EU Commission, see here.)

Cookies are used for a variety of reasons such as to identify users, to remember users’ custom preferences, to help users browsing from one page to another, to target online advertising. Cookies can be classified by their lifespan and the domain to which they belong (see here).

By lifespan, a cookie is either a session cookie (which is erased when the user closes the browser) or a persistent cookie (which remains on the user’s computer/device for a pre-defined period of time). As for the domain to which it belongs, a cookie can be either a first-party cookie (which is set by the web server of the visited page and shares the same domain) or a third-party cookie (which is stored by a different domain than the visited page’s domain. This can happen for example when the webpage references a file, such as JavaScript, located outside its domain.)

EU cookie law

The relevant EU legislation on cookies is the following:

1) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. The Regulation sets forth specific legal obligations concerning the protection of personal data and their processing. It also requires websites to inform users that cookies are not being used to gather unnecessary information.

2) Directive 2002/58/EC, concerning the processing of personal data and the protection of privacy in the electronic communications sector (“Directive on Privacy and Electronic Communications”, known as E-Privacy Directive), as amended by Directive 2009/136. Particularly relevant for cookies is Article 5.3, which requires prior informed consent for storage or for access to information on a user’s terminal equipment. In order to use cookies a website shall obtain the user’s informed, specific, and freely given consent.

WP29 has elaborated on the definition of “consent”. Opinion 15/2011. The Opinion provides a thorough analysis of the concept of “consent” as used in the Data Protection Directive and in the e-Privacy Directive.

To be true, not all cookies require consent according to EU law. Consent is not required if the cookie is:

  • used for the sole purpose of carrying out the transmission of a communication, and
  • strictly necessary to provide the service explicitly required by the user.

The following cookies are also exempt from consent (see WP29 Opinion 04/2012 on Cookie Consent Exemption):

  • user-input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, and the like, which typically last for the duration of a session or a few hours;
  • authentication cookies, to identify the user once he has logged in, for the duration of a session;
  • user-centric security cookies, used to increase the security of the service requested by the user. These cookies are expected to have a longer lifespan than authentication cookies;
  • multimedia content player cookies, used to store technical data to play back video or audio content for the duration of a session;
  • load-balancing cookies, which are necessary to carry out the communication over the session – they expire at the end of the session;
  • user-interface customization cookies such as language or font preferences; they last for the duration of a session (or slightly longer);
  • third-party social plug in content sharing cookies, for logged-in members of a social network to allow them to share contents.

The European Commission website contains an official Cookie Policy template in several languages. It could be used on website as Cookie Policy page.

More information on cookie law in Europe is available at….