Scope of application
The ePrivacy Directive, also known as the “EU cookie law”, is a piece of EU legislation that regulates the access to and storage of information on the end user device. It contains specific rules on how websites are allowed to acquire not only personal, but also non-personal information from users or website visitors through cookies and other web trackers. The content of the Directive has been implemented into national laws such as the Austrian TKG and the German TTDSG.
Under Article 5 (3) of the ePrivacy Directive the storage of information or the access to information stored in the end user device is only allowed after the user has given their explicit consent and has been provided with clear and comprehensive information about the purposes of processing.
The exemption from user consent
The ePrivacy Directive exempts access to and storage of information on the end user device which is:
technically required for the sole purpose of carrying out the transmission in the electronic communications network;
Examples of technically required cookies:
the ability to route the information over the network, in particular by identifying the communication endpoints,
the ability to exchange data elements in their intended sequence, in particular by numbering the data packets, and
the ability to detect transmission errors or data loss.
strictly necessary in order to provide an Information Society service explicitly requested by the user;
“Strictly necessary” cookies are essential for the basic services of a website and its ancillary functionalities, which an average user would expect when surfing through a webpage.
The “third party” cookies set by websites other than the website operator the user is currently on could only qualify as “strictly necessary” if:
they are essential for carrying out the communication service and
solely the website provider is entitled to use the data (under a Data processing agreement with the third-party cookie provider).
Therefore, third-party cookies that enable services, distinct from the one “explicitly requested” by the user, e.g. targeted advertising, cannot qualify as “strictly necessary”.
In contrast to “third-party” cookies, “first-party” cookies are set by the website operator, whose page is visited by the user. Therefore, such cookies are far more likely to be exempted from consent than “third party” cookies, because they often enable functionalities closely related to the “explicitly requested” service by the user and the data collected is used solely by the first party (website operator) to provide such service.
Examples of cookies that may fall under the "strictly necessary" category include:
User input cookies (e.g., shopping cart, online forms)
Load balancing session cookies (e.g., log-in cookies)
Session cookies for multimedia players (e.g., to store technical data required for media playback)
Cookies for user preference customization (e.g., to store language and country preferences)
Cookies for CMP reporting (to store opt-in and opt-out)
AdServer cookies: country and language targeting
Tag management system cookies (to activate the system)
First-party analytics cookies (aggregated statistical information)
Chat bots, feedback tools (once initiated by the user)
Content sharing cookies from social plug-ins (e.g. to share content with “friends” – only in case the website visitors are logged in to the corresponding network and the cookies do not have a storage period beyond closing the web browser, otherwise consent is required)
The result of the ”necessity test” could be that first-party cookies are strictly necessary, while for third-party cookies consent would most likely be required.