Feeds

You can break EU cookie rules ... if your site breaks without cookies

It's the way the cookie crumbles when you split hairs

Combat fraud and increase customer satisfaction

'Consent is almost always needed'

The Working Party said that cookies served without consent under one of the exemptions should only have a "lifespan" that bears "direct relation to the purpose it is used for" and "must expire" thereafter.

The watchdogs said that most 'third party' cookies would require consent but said that some website operators serving some 'first-party' cookies may be able to rely on the 'strictly necessary' or 'transmission' exemptions to consent under select circumstances.

"Ultimately, it is thus the purpose and the specific implementation or processing being achieved that must be used to determine whether or not a cookie can be exempted," it said.

"The general approach to persistent cookies appears to be that consent is almost always needed," said Scanlon. "This definitely is the Article 29 Working Party's opinion in respect of authentication cookies where it argues that just because you consent to a website remembering your details once it does not mean that in the future you may not wish to visit that site again anonymously."

Scanlon said that the Working Party's opinion on multipurpose and flash cookies also provides useful guidance to website operators.

"For multipurpose cookies, each and every purpose of the cookie must be considered," Scanlon said. "Only if each purpose is exempted, will the 'strictly necessary' exemption apply. But on a good note for business, the Article 29 Working Party has confirmed that this does not mean that separate consents for each cookie or each purpose is required. A single point of consent is sufficient."

"A key point the Working Party made on flash cookies served during particular web sessions is that if websites' flash cookies have embedded additional information not strictly necessary for the purpose of making video or other flash content available, then consent will be required for those cookies," he said.

The Working Party's opinion said that 'social plug-in tracking cookies' need to be consented to by users unless the users are actively logged-in to those social networks.

"The use of third party social plug-in cookies for other purposes than to provide a functionality explicitly requested by their own members requires consent, notably if these purposes involve tracking users across websites," it said.

Scanlon said though that the Working Party had also "drawn a clear distinction" between tracking cookies in the social plug-in context and sharing cookies, which allow users to share content on websites with friends on social media, in a way that "places sharing cookies in the exempt list subject to conditions".

The Working Party said that EU law makers should consider amending the e-Privacy Directive, if the laws are ever "re-visited in the future", to create a new exemption to consent "for cookies that are strictly limited to first party anonymised and aggregated statistical purposes."

It added that "technical solutions" currently available and also in development stage could "effectively apply privacy by design" in order to determine users' consent to third-party cookies.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.