Privacy & Information Security Law Blog

On October 2, 2013, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU legal requirements (“Working Document”).

Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain web users’ consent for the storage of, or access to, cookies and similar technologies. Under EU data protection law, consent must satisfy certain conditions in order to be valid, as explained in the Working Party’s Opinion of July 13, 2011 on the concept of consent (i.e., consent must be “unambiguous,” “specific and informed,” and “freely given” “before the processing starts”).

The Working Document specifies the main components of cookie consent mechanisms in order to satisfy those conditions in each EU Member State.

According to the Working Document, a consent mechanism should include each of the following elements:

Specific Information
When consent is sought, users must be provided with a clear, comprehensive and visible notice on the use of cookies on the website (i.e., on the webpage where users begin their browsing session). The notice should (1) describe all the types of cookies being used by the website and their purposes (including cookies from third parties or third-party access to data collected by the cookies on the website) and (2) explain how users can accept all, some or no cookies and how they can change the cookie settings in the future. Information such as the retention period (i.e., the cookie expiration date) and typical values also should be included to fully inform users.

Consent Should Be Sought Before Cookies Are Set or Read
According to the Working Document, this means that website operators must implement a solution in which no cookies are placed on the user’s device (other than those that do not require the user’s consent such as those cookies that are strictly necessary for the operation of the website) before that user has expressed his or her consent.

Active Behavior
In the view of the Working Party, consent should result from a positive action or other active behavior of users, provided that they have been informed of the consequences of their action or behavior. Users may express their consent either by (1) clicking on a button or link, (2) ticking a box in or close to the space where information on the use of cookies is presented, or (3) any other active behavior from which a website operator can unambiguously conclude that the user consented. Cookie consent tools may include splash screens, banners or modal dialog boxes. The Working Document recalls that browser settings may express users’ consent only in limited circumstances (i.e., where the website operator is confident that the user has been fully informed and has actively configured his or her browser).

Real Choice
The Working Document clarifies that websites should not condition general access to their site on the acceptance of all cookies. Users should be given a real choice regarding cookies that are not needed in relation to the purpose of provision of the website service, but instead only provide additional benefits to the website operator. The Working Document gives the example of e-commerce websites and notes that not accepting non-functional cookies should not prevent a user from buying products on these websites. Users also should be offered a real choice regarding tracking cookies generally used to follow individual behavior across websites, create profiles based on that behavior, infer interests, and take decisions affecting people individually.