After changes to the EU Privacy and Electronic Communications (e-Privacy) Directive that came into force in the UK last year, site operators must obtain user consent to place cookies in users' browsers. There is an exception, though, for services where a cookie is 'strictly necessary' for the operation of the site, such as tracking a shopper's choices to allow them to pay for goods at a checkout stage of an online process.
The Article 29 Working Party has published an opinion which says that sites can only make use of this exception if a user has specifically requested the service or functionality for which a cookie is 'strictly necessary and the service or functionality would not work if a cookie was not served'.
The Working Party said (12-page / 151KB PDF) that cookies should only be considered as fulfilling the 'strictly necessary' criteria if an "information society service" is "explicitly requested" by a user who has taken "a positive action ... for a service with a clearly defined perimeter" and where that service would "not work" without it.
"There has to be a clear link between the strict necessity of a cookie and the delivery of the service explicitly requested by the user for the exemption to apply," it said.
The Working Party added that cookies served for the purposes of delivering "specific functionality" within websites will also not be considered 'strictly necessary' unless "the functionality will not be available" without the cookie and the user has "explicitly requested" the functionality from the website.
Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that some of the detail provided by the Working Party on when website operators can serve cookies without users' consent would be helpful to businesses but that some questions remain unanswered.
"In relation to the 'strictly necessary' exception, the Article 29 Working Party has used as plain a language as possible," he said. "Cookies are only strictly necessary if the service to which they relate would not work without them."
"Put another way, it appears that the Article 29 Working Party is saying that for all services that can work 'at all' without cookies, the service provider must obtain consent before placing any cookies in relation to that service. What about where this would result in significant wasted time and costs in order for a service to operate without a cookie? Does this mean that developers must find expensive or difficult to implement workarounds whenever it is conceivably possible that a service can work without a cookie? This would seem to be an unreasonable expectation to place on business," Scanlon said.
The Article 29 Working Party is a committee made up of representatives from each of the EU national data protection authorities.
Cookies are small text files that record internet users' online activity. Cookies come in a variety of forms and differing functions for tracking user behaviour on websites.
Websites can track user behaviour during individual visits to sites (session cookies) or over multiple visits (persistent cookies) and serve one or a number of different purposes (multipurpose cookies). They can also be served by the websites themselves (first-party cookies) or on behalf of other internet firms, such as advertising networks that use (third-party) cookies to track users' online activity in order to serve them with targeted ads they consider more relevant to those users.
Cookies can also be used by social networks to track user interaction with 'plug-ins', such as Facebook's 'like' button, on other website platforms. Websites sometimes use 'flash' cookies to store information that helps to play back video or audio content, whilst other cookies can be used to authenticate user passwords to content hidden on websites.
Under the e-Privacy Directive a further exception to the consent requirement exists where the cookies is used "for the sole purpose of carrying out the transmission of a communication over an electronic communications network."
The Working Party said that in order to qualify under this consent exemption, cookies must be pivotal to the transmission of the communication and that transmission "must not be possible without the use of the cookie."
"Simply using a cookie to assist, speed up or regulate the transmission of a communication over an electronic communications network is not sufficient," it added.
The Article 29 Working Party said that only 'load balancing session cookies', that allow for the processing of web server requests to be spread over a number of computers instead of just one, would definitely not require consent in order to be served on the basis of the 'transmission' exemption.
The Working Party said that cookies served without consent under one of the exemptions should only have a "lifespan" that bears "direct relation to the purpose it is used for" and "must expire" thereafter.
The watchdogs said that most 'third party' cookies would require consent but said that some website operators serving some 'first-party' cookies may be able to rely on the 'strictly necessary' or 'transmission' exemptions to consent under select circumstances.
"Ultimately, it is thus the purpose and the specific implementation or processing being achieved that must be used to determine whether or not a cookie can be exempted," it said.
"The general approach to persistent cookies appears to be that consent is almost always needed," said Scanlon. "This definitely is the Article 29 Working Party's opinion in respect of authentication cookies where it argues that just because you consent to a website remembering your details once it does not mean that in the future you may not wish to visit that site again anonymously."
Scanlon said that the Working Party's opinion on 'multipurpose' and 'flash' cookies also provides useful guidance to website operators.
"For multipurpose cookies, each and every purpose of the cookie must be considered," Scanlon said. "Only if each purpose is exempted, will the 'strictly necessary' exemption apply. But on a good note for business, the Article 29 Working Party has confirmed that this does not mean that separate consents for each cookie or each purpose is required. A single point of consent is sufficient."
"A key point the Working Party made on flash cookies served during particular web sessions is that if websites' flash cookies have embedded additional information not strictly necessary for the purpose of making video or other flash content available, then consent will be required for those cookies," he said.
The Working Party's opinion said that 'social plug-in tracking cookies' need to be consented to by users unless the users are actively logged-in to those social networks.
"The use of third party social plug-in cookies for other purposes than to provide a functionality explicitly requested by their own members requires consent, notably if these purposes involve tracking users across websites," it said.
Scanlon said though that the Working Party had also "drawn a clear distinction" between 'tracking' cookies in the social plug-in context and 'sharing cookies', which allow users to share content on websites with friends on social media, in a way that "places sharing cookies in the exempt list subject to conditions."
The Working Party said that EU law makers should consider amending the e-Privacy Directive, if the laws are ever "re-visited in the future", to create a new exemption to consent "for cookies that are strictly limited to first party anonymized and aggregated statistical purposes."
It added that "technical solutions" currently available and also in development stage could "effectively apply privacy by design" in order to determine users' consent to third-party cookies.