European Data Protection Authorities Publish Guidelines Clarifying Exemptions to Cookie Consent Requirement


[author: Marianne Le Moullec]


On June 7, 2012, the Article 29 Working Party, an independent advisory body composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, issued Opinion 04/2012 regarding which types of cookies are exempted from the informed user-consent requirement under Directive 2002/58 of the European Parliament (the E-Privacy Directive).


Article 5.3 of the E-Privacy Directive requires that websites must obtain informed consent from users prior to storing cookies on users’ equipment. The E-Privacy Directive provides for two exemptions to this rule: (a) when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and (b) when the cookie is strictly necessary in order for the provider of an information society service explicitly requested by the user to provide the service.

With regard to the first exemption, the Opinion stresses its narrow scope: the words “sole purpose” mean that such cookies will be exempted only if they are strictly necessary for communication to take place over a network between two parties. The Opinion sets out three elements that can be considered as strictly necessary in this context: (1) the ability to route information over the network, (2) the ability to exchange data items, and (3) the ability to detect transmission errors or data loss.

The second exemption is broader in scope and the Opinion lists the following as definitive examples of when the exemption is applicable: “user input” cookies (shopping-cart cookies, for example), authentication cookies (used to identify the user once he/she has logged in to an online banking website, for example), security cookies designed to detect failed login attempts on a website, or multimedia player session cookies needed to play audio or video content. Companies must, however, keep in mind that a cookie may be stored under this exemption only if it is strictly necessary from the point of view of the user, not the service provider. Further, a cookie should have a lifespan that is in direct relation to the purpose for which it is needed; therefore, persistent cookies (cookies that remain stored in a user’s equipment after the user closes his browser) are less likely to be exempted.


The Opinion also specifies that neither third-party cookies used for behavioral advertising nor third-party tracking cookies used by social networks to collect data for behavioral advertising or market research are exempted from consent.


Finally, the Opinion concludes with some words of wisdom: where a doubt remains as to whether the cookie falls within an exemption, companies should seek consent from the user.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.