The European Union’s Article 29 Data Protection Working Party (WP 29) released its Opinion 04/2012 on Cookie Consent Exemption today. The opinion is released amidst the implementation of Directive 2009/136/EC (“Cookie Directive”) in most member states and aims to clarify the circumstances in which cookies are exempted from the informed consent requirement.
In its opinion, WP 29 focuses on the two “exemption criteria” established under article 5.3 of the Cookie Directive: if the cookie is, (a) used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” or (b) “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. The opinion describes a variety of circumstances in which these exemption criteria do not apply; forcing controllers, processors, and third party actors to obtain informed consent before using a cookie.
Three general guidelines are drawn from the WP 29 analysis: (1) exemption under Criterion B must be evaluated “form the point of view of the user, not the service provider”, (2) “if a cookie is used for several purposes, it can only benefit from the exemption to informed consent if each distinct purpose individually benefits from such an exemption”; and (3) “The purpose of the cookie should always be the basis for evaluating if the exemption can be successfully applied rather than a technical feature of the cookie.”
Interestingly, social plug-in content sharing cookies can be considered exempt from the informed consent requirement in limited circumstances. On the other hand, third party advertising cookies, including cookies used for fraud detection purposes, are not considered to be exempt from consent requirements because “neither of these purposes can be considered to be related to a service or functionality of an information society service explicitly requested by the user.”