Skip to main content
Skip table of contents

ePrivacy - cookie provisions

Scope of application 

The ePrivacy Directive, also known as the “EU cookie law”, is a piece of EU legislation that regulates the access to and storage of information on the end user device. It contains specific rules on how websites are allowed to acquire not only personal, but also non-personal  information from users or website visitors through cookies and other web trackers. The content of the Directive has been implemented into national laws such as the Austrian TKG and the German TTDSG.

Under Article 5 (3) of the ePrivacy Directive the storage of information or the access to information stored in the end user device is only allowed after the user has given their explicit consent and has been provided with clear and comprehensive information about the purposes of processing.

The exemption from user consent 

The ePrivacy Directive exempts access to and storage of information on the end user device which is:

  • technically required for the sole purpose of carrying out the transmission in the electronic communications network;

Examples of technically required cookies:

According to the European Data Protection Board (EDPB) as well as several Data Protection Authorities the use of cookies with the following functionalities qualifies as technically required:

  • the ability to route the information over the network, in particular by identifying the communication endpoints,

  • the ability to exchange data elements in their intended sequence, in particular by numbering the data packets, and

  • the ability to detect transmission errors or data loss. 

  • strictly necessary in order to provide an Information Society service explicitly requested by the user;

“Strictly necessary” cookies are essential for the basic services of a website and its ancillary functionalities, which an average user would expect when surfing through a webpage. 

The “third party” cookies set by websites other than the website operator the user is currently on could only qualify as “strictly necessary” if:

  • they are essential for carrying out the communication service and 

  • solely the website provider is entitled to use the data (under a Data processing agreement with the third-party cookie provider).

Therefore, third-party cookies that enable services, distinct from the one “explicitly requested” by the user, e.g. targeted advertising, cannot qualify as “strictly necessary”. 

In contrast to “third-party” cookies, “first-party” cookies are set by the website operator, whose page is visited by the user. Therefore, such cookies are far more likely to be exempted from consent than “third party” cookies, because they often enable functionalities closely related to the “explicitly requested” service by the user and the data collected is used solely by the first party (website operator) to provide such service. 

Examples of cookies that may fall under the "strictly necessary" category include:

  • User input cookies (e.g., shopping cart, online forms)

  • Load balancing session cookies (e.g., log-in cookies)

  • Session cookies for multimedia players (e.g., to store technical data required for media playback)

  • Cookies for user preference customization (e.g., to store language and country preferences)

  • Cookies for CMP reporting (to store opt-in and opt-out)

  • AdServer cookies: country and language targeting

  • Tag management system cookies (to activate the system)

  • First-party analytics cookies (aggregated statistical information)

  • Chat bots, feedback tools (once initiated by the user)

  • Content sharing cookies from social plug-ins (e.g. to share content with “friends” – only in case the website visitors are logged in to the corresponding network and the cookies do not have a storage period beyond closing the web browser, otherwise consent is required)

Ultimately, whether the use of cookies is exempted from user consent comes down to the purpose you want to achieve with your cookies and whether you process more data than is needed to achieve this purpose. The EDPS Necessity Toolkit provides useful guidelines for the assessment of your data processing and the “strict necessity” of your cookies.  

The result of the ”necessity test” could be that first-party cookies are strictly necessary, while for third-party cookies consent would most likely be required. 

Even in the case where consent is not required for the setting of the cookie, the website operator must explain to the user what such strictly necessary or technically required cookies do and why they are needed on the website. This is usually done in the Privacy Policy.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.