ePrivacy - cookie provisions
  • 21 Sep 2022
  • 3 Minutes to read
  • Contributors
  • Dark
    Light

ePrivacy - cookie provisions

  • Dark
    Light

The ePrivacy Directive, also known as the “EU cookie law”, is a piece of EU legislation that regulates the access to and storage of information on the end user device. It contains specific rules on how websites are allowed to acquire not only personal, but also non-personal  information from users or website visitors through cookies and other web trackers. The content of the Directive has been implemented into national laws such as the Austrian TKG and the German TTDSG.

Under Article 5 (3) of the ePrivacy Directive the storage of information or the access to information stored in the end user device is only allowed after the user has given his or her informed consent and has been provided with clear and comprehensive information about the purposes of processing.

 

The exemption from user consent

The ePrivacy Directive exempts access to and storage of information on the end user device which is:

 

  • technically required for the sole purpose of carrying out the transmission in the electronic communications network;

 

According to the European Data Protection Board (EDPB) as well as several Data Protection Authorities the use of cookies with the following functionalities qualify as technically required: 


- the ability to route the information over the network, in particular by identifying the communication endpoints,


- the ability to exchange data elements in their intended sequence, in particular by numbering the data packets, and


- the ability to detect transmission errors or data loss.

 

  • strictly necessary in order to provide an Information Society service explicitly requested by the user;

 

“Strictly necessary” cookies are essential for the basic services of a website and its ancillary functionalities, which an average user would expect when surfing through a webpage. An example of the service that could be “explicitly requested” by the user can be cookies that allow online shops to hold items in the user’s shopping cart, or to store the user's consent/ or non-consent, or language preferences.

The “third party” cookies set by websites other than the website operator the user is currently on could only qualify as “strictly necessary” if:


- they are essential for carrying out the communication service and 

- solely the website provider is entitled to use the data (under a Data processing agreement with the third-party cookie provider)

 

Therefore, third-party cookies that enable services, distinct from the one “explicitly requested” by the user, e.g. targeted advertising, cannot qualify as “strictly necessary”. 

 

By contrast to “third-party” cookies, the “first-party” cookies are set by the website operator, whose page is visited by the user. Therefore, such cookies are far more likely to be exempted from consent than “third party” cookies, because they often enable functionalities closely related to the “explicitly requested” service by the user and the data collected is used solely by the first party (website operator) to provide such service. 

 

Examples of cookies that may fall into the "strict necessary" category include:
  • User input cookies (e.g., shopping cart, online forms)
  • Load balancing session cookies (e.g., log-in cookies)
  • Session cookies for multimedia players (e.g., to store technical data required for media playback)
  • Cookies for user preference customization (e.g., to store language and country preferences)
  • Cookies for CMP reporting (to store opt-in and opt-out)
  • AdServer cookies: country and language targetingTag management system cookies (to activate the system)
  • 1st-party analytics cookies (aggregated statistical information)
  • Chat bots, feedback tools (once initiated by the user)
  • Content sharing cookies from social plug-ins (e.g. to share content with “friends” – only in case the website visitors are logged in to the corresponding network and the cookies do not have a storage period beyond closing the web browser, otherwise consent is required)

Ultimately, whether the use of cookies is exempted from user consent comes down to the purpose you want to achieve with your cookies and whether the data you process is not more than what is needed to achieve this purpose. The EDPS Necessity Toolkit provides useful guidelines for the assessment of your data processing and thus of the “strict necessity” of your cookies.  

 

The result of the ” necessity test ” could be that 1st party cookies can be considered strictly necessary, while for 3rd party cookies consent is most likely required. 

 

Even in the case where consent is not required for setting of the cookie, the website operator must explain to the user what such strictly necessary or technically required cookies do and why they are needed on the website. This is usually done in the privacy policy. 





Was this article helpful?