On 7 June 2012 the Article 29 Working Party adopted an opinion on which cookies are functional and for which (therefore) no prior consent is required.
Test for functional cookies
The Working Party makes a distinction between two types of functional cookies:
- cookies that are used for the transmission of signals via a network;
- cookies that are used for the provision of a service requested by the user.
Re 1. Cookies for the transmission of signals
A cookie of the first type (transmission of signals) is, according to the Working Party, only functional if the signal transmission were impossible without the cookie. The Working Party points out that for the transmission of a signal, it is at least necessary that (1) the signal can be sent via a specified route; (2) the signal can be cut up in accordance with a specified order; and (3) errors in the transmission of the signal can be detected. If a cookie is necessary for one or more of these aspects of the signal transmission, then the relevant cookie is of a functional nature.
Re 2. Cookies for the provision of a service
In practice, the cookie of the second type (provision of a service) occurs a bit more often. According to the Working Party, for this type of cookie a test is not required to establish whether a cookie is necessary for the relevant online service, but whether the cookie is necessary for the functionality (a service consists, after all, of all kinds of different functionalities).
The Working Party provides the following practical test for verifying whether a cookie is functional:
- Is the functionality not available when the cookies are deactivated?
- And has the relevant functionality been requested by the user?
Only if both questions can be answered in the affirmative does a functional cookie exist (and prior consent is therefore not required).
Examples of functional cookies
Further, the Working Party provides an extensive list of cookies that are functional:
- cookies that retain data entered by users (such as shopping carts), provided they are deleted at the end of the session;
- cookies that are used in the context of authenticating the user, provided such data is deleted at the end of the session and provided the cookies are not used for any other purpose whatsoever;
- cookies that are used in the context of security (for instance for identifying unsuccessful log-in attempts), also if the life span of those cookies is longer than the individual user session;
- cookies that are used for playing/displaying multimedia data, provided the data that are stored in the cookie remain restricted to the technical data connected with playing and provided the cookie is deleted at the end of the session;
- cookies that are used in the context of load balancing, provided the validity of the cookie is limited to the specific session;
- cookies that store preferences regarding the display of data on a website, provided the storage is restricted to the session (unless consent has been obtained for longer storage);
- cookies of social networks that are used for enabling members of that social network to use plug-ins on other websites, provided those cookies are valid only during a session and provided those cookies are not used for any other purpose other than for offering the service offered via the plug-in (i.e., not to track the user).
Examples of non-functional cookies
In addition, the Working Party also provides a list of (frequently occurring) cookies that are, in any case, not functional:
- tracking cookies that are used via plug-ins of social networks to track non-members or to track members without having obtained their express consent to that end;
- tracking cookies that are used by advertisers;
- cookies that are used for statistical purposes;
Do Not Track standard
At the moment, work is being conducted on the development of a Do Not Track standard, by which surfers can indicate that they do not wish to be tracked on the Internet. The Working Party is critical about the latest developments in this area and expressly points out in that context that the Do Not Track standard, which is currently being developed, may not contain any exemptions:
“In order for the Do Not Track standard to bring compliance to companies serving cookies to European citizens, Do Not Track must effectively mean ‘Do Not Collect’ without exceptions. Therefore where a user has expressed the preference to not be tracked (DNT=1) no identifier, for the purpose of tracking, must be set or otherwise processed. There are technical solutions available, and many more are currently being developed, to effectively apply privacy by design, both within the web browser and on the server side to achieve the operational purposes described above.”
Cookies for statistical purposes
Cookies for statistical purposes are not of a functional nature. Compiling statistical data is, after all, not necessary for the requested service to be performed.
It is conspicuous that the Working Party points out that for first party cookies, which are used for statistical purposes, the privacy risk is rather small (that does not apply to third party cookies for statistical purposes). In other words: whoever uses server side solutions for measuring statistical data on the use of a website (such as the open source program Piwik) could, in the vision of the Working Party, from time to time get off scot-free for using cookies that involve that technology. However, whoever uses an external provider for measuring statistical data (such as Google Analytics) will, in any case, not get away with it.
The privacy risk for first party cookies for statistical purposes is, according to the Working Party, so small that this justifies a supplemental exemption in the law. Consequently, the Working Group is proposing that in the event of any future amendment to the cookie legislation to consider the first party cookies for statistical purposes as functional cookies:
In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes. First party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy.”
Article 29 Working Party and cookies
The Article 29 Working Party is an independent consultative body that issues opinions and makes recommendations concerning European privacy law. The Working Party consists largely of the joint European privacy authorities. On behalf of the Netherlands, Mr Jacob Kohnstamm has a seat in the Working Party (and is incidentally also the chairman thereof). Mr Kohnstamm is also chairman of the Dutch Data Protection Authority.
The cookie legislation is not enforced in all Member States of the European Union by the privacy authorities that have a seat in the Article 29 Working Party. For instance, in the Netherlands OPTA monitors compliance with the cookie legislation and not the Data Protection Authority. It remains to be seen whether OPTA is of the same opinion as the Article 29 Working Party regarding functional cookies.