You can break EU cookie rules ... if your site breaks without cookies
It's the way the cookie crumbles when you split hairs
'Consent is almost always needed'
The Working Party said that cookies served without consent under one of the exemptions should only have a "lifespan" that bears "direct relation to the purpose it is used for" and "must expire" thereafter.
The watchdogs said that most 'third party' cookies would require consent but said that some website operators serving some 'first-party' cookies may be able to rely on the 'strictly necessary' or 'transmission' exemptions to consent under select circumstances.
"Ultimately, it is thus the purpose and the specific implementation or processing being achieved that must be used to determine whether or not a cookie can be exempted," it said.
"The general approach to persistent cookies appears to be that consent is almost always needed," said Scanlon. "This definitely is the Article 29 Working Party's opinion in respect of authentication cookies where it argues that just because you consent to a website remembering your details once it does not mean that in the future you may not wish to visit that site again anonymously."
Scanlon said that the Working Party's opinion on multipurpose and flash cookies also provides useful guidance to website operators.
"For multipurpose cookies, each and every purpose of the cookie must be considered," Scanlon said. "Only if each purpose is exempted, will the 'strictly necessary' exemption apply. But on a good note for business, the Article 29 Working Party has confirmed that this does not mean that separate consents for each cookie or each purpose is required. A single point of consent is sufficient."
"A key point the Working Party made on flash cookies served during particular web sessions is that if websites' flash cookies have embedded additional information not strictly necessary for the purpose of making video or other flash content available, then consent will be required for those cookies," he said.
The Working Party's opinion said that 'social plug-in tracking cookies' need to be consented to by users unless the users are actively logged-in to those social networks.
"The use of third party social plug-in cookies for other purposes than to provide a functionality explicitly requested by their own members requires consent, notably if these purposes involve tracking users across websites," it said.
Scanlon said though that the Working Party had also "drawn a clear distinction" between tracking cookies in the social plug-in context and sharing cookies, which allow users to share content on websites with friends on social media, in a way that "places sharing cookies in the exempt list subject to conditions".
The Working Party said that EU law makers should consider amending the e-Privacy Directive, if the laws are ever "re-visited in the future", to create a new exemption to consent "for cookies that are strictly limited to first party anonymised and aggregated statistical purposes."
It added that "technical solutions" currently available and also in development stage could "effectively apply privacy by design" in order to determine users' consent to third-party cookies.
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: The Nuts and Bolts of Ransomware in 2016