Feeds

You can break EU cookie rules ... if your site breaks without cookies

It's the way the cookie crumbles when you split hairs

5 things you didn’t know about cloud backup

'Consent is almost always needed'

The Working Party said that cookies served without consent under one of the exemptions should only have a "lifespan" that bears "direct relation to the purpose it is used for" and "must expire" thereafter.

The watchdogs said that most 'third party' cookies would require consent but said that some website operators serving some 'first-party' cookies may be able to rely on the 'strictly necessary' or 'transmission' exemptions to consent under select circumstances.

"Ultimately, it is thus the purpose and the specific implementation or processing being achieved that must be used to determine whether or not a cookie can be exempted," it said.

"The general approach to persistent cookies appears to be that consent is almost always needed," said Scanlon. "This definitely is the Article 29 Working Party's opinion in respect of authentication cookies where it argues that just because you consent to a website remembering your details once it does not mean that in the future you may not wish to visit that site again anonymously."

Scanlon said that the Working Party's opinion on multipurpose and flash cookies also provides useful guidance to website operators.

"For multipurpose cookies, each and every purpose of the cookie must be considered," Scanlon said. "Only if each purpose is exempted, will the 'strictly necessary' exemption apply. But on a good note for business, the Article 29 Working Party has confirmed that this does not mean that separate consents for each cookie or each purpose is required. A single point of consent is sufficient."

"A key point the Working Party made on flash cookies served during particular web sessions is that if websites' flash cookies have embedded additional information not strictly necessary for the purpose of making video or other flash content available, then consent will be required for those cookies," he said.

The Working Party's opinion said that 'social plug-in tracking cookies' need to be consented to by users unless the users are actively logged-in to those social networks.

"The use of third party social plug-in cookies for other purposes than to provide a functionality explicitly requested by their own members requires consent, notably if these purposes involve tracking users across websites," it said.

Scanlon said though that the Working Party had also "drawn a clear distinction" between tracking cookies in the social plug-in context and sharing cookies, which allow users to share content on websites with friends on social media, in a way that "places sharing cookies in the exempt list subject to conditions".

The Working Party said that EU law makers should consider amending the e-Privacy Directive, if the laws are ever "re-visited in the future", to create a new exemption to consent "for cookies that are strictly limited to first party anonymised and aggregated statistical purposes."

It added that "technical solutions" currently available and also in development stage could "effectively apply privacy by design" in order to determine users' consent to third-party cookies.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Build a business case: developing custom apps

More from The Register

next story
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
Silicon Valley jolted by magnitude 6.1 quake – its biggest in 25 years
Did the earth move for you at VMworld – oh, OK. It just did. A lot
VMware's high-wire balancing act: EVO might drag us ALL down
Get it right, EMC, or there'll be STORAGE CIVIL WAR. Mark my words
Forrester says it's time to give up on physical storage arrays
The physical/virtual storage tipping point may just have arrived
Better be Nimble, tech giants, or mutant upstarts will make off with your sales
Usual suspects struggling to create competing products
VMware vaporises vCHS hybrid cloud service
AnD yEt mOre cRazy cAps to dEal wIth
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.