Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Art.29WP on Cookies - specific and pragmatic advice

Thursday, January 3, 2013 - 11:37

The e-Privacy Directive's provisions on cookies exempt two classes of cookies from the requirement to gain consent (though if they relate to individual users, websites still need to inform users about them, under data protection law):

CRITERION A: the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.
CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”

The Article 29 Working Party has now provided very detailed interpretations of a number of common cookie functions and whether they are likely to be covered by those exemptions. I don't think any of the outcomes are surprising if you've been reading the Information Commissioner's guidance, but it's helpful to have this clear statement of both the guidance and the legal reason for it.

It's well worth reading the document, as the analysis will only apply where a cookie is only used for that specific purpose and where its lifetime is kept to the minimum necessary, and there may be other restrictions. My summary is as follows:

  • User-input cookies (e.g. shopping carts): probably exempt under Criterion B (but note comments on cookie lifetime);
  • Authentication cookies: probably exempt under Criterion B if used within a single browser session; need to warn the user beforehand (i.e. get implied consent) if the cookie will persist across browser sessions;
  • User-centric security cookies (e.g. to detect repeated login failures): may be exempt under Criterion B, but need to check specific details;
  • Multi-media Player Session Cookies: probably exempt under Criterion B, but make sure they aren't used for other purposes;
  • Load-balancing Session Cookies: probably exempt under Criterion A;
  • UI Customisation Cookies: short-lifetime cookies probably exempt under Criterion B, for longer lifetimes obtain implied consent as for authentication cookies;
  • Social Plug-in Sharing Cookies: may be exempt under Criterion B, but only if they are restricted to logged-in users and limited to a session;

Social plug-in tracking cookies and advertising cookies are explicitly said to not be exempt, and the Working Party stress that this includes cookies that are used only to collect profiling information but do not display adverts to the current user.

Finally, and apparently with considerable regret, the Working Party conclude that first-party analytic cookies are not covered by either exemption. However:

the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.

There's even a suggestion that when the Directive is next revised

the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes