The strictly, absolutely, unequivocally, completely and utterly necessary, cookies
Jul 3, 2012
Cookies are continuing to be thrust into the legal spotlight following 26th May 2012. This is the date from which the Information Commissioner will supposedly start clamping down on cookie law breaches. This comes after previously giving websites a year to comply with the new Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. Some background In order for cookies to be placed on a user’s machine, “informed consent” must be obtained. However, there are exceptions to this requirement, including for cookies that are “strictly necessary”. But what does “strictly necessary” actually mean? The ICO’s own guidance define such cookies as having to be “…essential, rather than reasonably necessary…” and that cookies deemed “important” would need to have informed consent obtained. A bit of clarity Enter the Article 29 Working Party, “an independent European advisory body on data protection and privacy”. The Working Party have provided a 12 page “opinion” (being guidance rather than law) on what is meant by “strictly necessary”. So what does it say? For a cookie to be strictly necessary, it should:
- provide a specific functionality which cannot be provided without the cookie; and
- that functionality has to be specifically requested by the user.
[caption id="" align="alignleft" width="195"] An Article 29 Party. How it might have looked?[/caption] The Working Party also discusses the distinction between “first party” cookies (those set up by the operator of a website) and “third party” cookies (set up by those not operating the website). Since third party cookies are usually related to a service not explicitly requested by the user, first party cookies are deemed more likely to be exempted from consent. Still not clear? The Working Party anticipated this and provided some examples on the type of cookies that may benefit from the exemption... The Examples “User Input” cookies – those that keep track of a user’s input (such as filling in forms over a number of pages or a shopping cart). “Authentication” cookies” – identify a user once logged into a website. The opinion emphasises that the “…act of authentication shouldn’t be taken as an opportunity to use the cookie for secondary purposes, such as behavioural monitoring…without consent”. “User centric security” cookies – those set up for increasing security (detecting repeated failed log in attempts). “Multimedia player” cookies – those used to store technical data for video or audio playback, such as image quality and network speeds. “Load balancing” cookies – cookies used to manage the distribution of web requests from users to servers. “UI customisation” cookies – those that remember a user’s preferences on a web page not linked to a user’s username. However, there is some confusion here, since the opinion indicates such cookies are only set is explicitly requested (such as clicking a button or ticking a box), which seems to be contrary to cookies being strictly necessary and not needing consent. “Social plug in content sharing” cookies – cookies used by social media plug in modules (which, for example, allow users of social networks to share content) permitting social networks to identify their members when interacting with the plug-ins. Although following the guidance will not guarantee avoiding the ICO’s attention, it’s hoped the information will at least assist website operators in trying to comply with the regulations. If you need any more information on cookies, get in touch with one of our data protection lawyers. If you want to send us actual cookies, our address is below.