RE: Art 29 WP Opinion - Cookie Consent Exemption from Sören Preibusch on 2012-06-13 (public-privacy@w3.org from April to June 2012)

From: Sören Preibusch <Soren.Preibusch@cl.cam.ac.uk>
Date: Wed, 13 Jun 2012 15:52:52 +0100
To: <runnegar@isoc.org>, "'public-privacy $W3C mailing list$'" <public-privacy@w3.org>
Message-ID: <003b01cd4974$3576e230$a064a690$@Preibusch@cl.cam.ac.uk>
Thanks for sharing. In trying to summarise, it seems that

  - session management cookies (1, 2, 3, 4, 5, 6) and
  - single-sign on cookies (2, 7)

are exempt. Looks like a sensible approach to me. Cookies for load balancing and fraud detection would also be exempted according to the UK ICO.

Sören


-----Original Message-----
From: runnegar@isoc.org [mailto:runnegar@isoc.org] 
Sent: 12 June 2012 13:51
To: public-privacy (W3C mailing list)
Subject: Art 29 WP Opinion - Cookie Consent Exemption

The Article 29 Data Protection Working Party has released an Opinion on Cookie Consent Exemption (adopted 7 June 2012)

Link to the opinion:

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

Link to the press release:

http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/index_en.htm#h2-1

Summary and Guidelines extracted below:

"This analysis has shown that the following cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes:

1) User input cookies (session-id), for the duration of a session or persistent cookies limited to a few hours in some cases.

2) Authentication cookies, used for authenticated services, for the duration of a session.

3) User centric security cookies, used to detect authentication abuses, for a limited persistent duration.

4) Multimedia content player session cookies, such as flash player cookies, for the duration of a session.

5) Load balancing session cookies, for the duration of session.

6) UI customization persistent cookies, for the duration of a session (or slightly more).

7) Third party social plug-in content sharing cookies, for logged in members of a social network.

Having regard to social networks, the working party notes however that the use of third party social plug-in cookies for other purposes than to provide a functionality explicitly requested by their own members requires consent, notably if these purposes involve tracking users across websites.

The working party recalls that third party advertising cookies cannot be exempted from consent, and further clarifies that consent would also be needed for operational purposes related to third party advertising such as frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging.

While some operational purposes might certainly distinguish one user from another, in principle these purposes do not justify the use of unique identifiers. This point is of particular relevance in the context of the current discussions regarding the implementation of the Do Not Track standard in Europe.

This analysis also shows that first party analytics cookies are not exempt from consent but pose limited privacy risks, provided reasonable safeguards are in place, including adequate information, the ability to opt-out easily and comprehensive anonymisation mechanisms.

Some primary guidelines can be drawn from the analysis and the cookie use scenarios presented in this opinion:

1) When applying CRITERION B, it is important to examine what is strictly necessary from the point of view of the user, not the service provider.

2) If a cookie is used for several purposes, it can only benefit from an exemption to informed consent if each distinct purpose individually benefits from such an exemption.

3) First party session cookies are far more likely to be exempted from consent than third party persistent cookies. However the purpose of the cookie should always be the basis for evaluating if the exemption can be successfully applied rather than a technical feature of the cookie.

Ultimately, to decide if a cookie is exempt from the principle of informed consent it is important to verify carefully if it fulfils one of the two exemption criteria defined in Article 5.3 of Directive 2009/136/EC. After a careful examination, if substantial doubts remain on whether or not an exemption criterion applies, website operators should closely examine if there is not in practice an opportunity to gain consent from users in a simple unobtrusive way, thus avoiding any legal uncertainty."
Received on Wednesday, 13 June 2012 14:53:20 UTC