Feeds

You can break EU cookie rules ... if your site breaks without cookies

It's the way the cookie crumbles when you split hairs

Secure remote control for conventional and virtual desktops

'Consent is almost always needed'

The Working Party said that cookies served without consent under one of the exemptions should only have a "lifespan" that bears "direct relation to the purpose it is used for" and "must expire" thereafter.

The watchdogs said that most 'third party' cookies would require consent but said that some website operators serving some 'first-party' cookies may be able to rely on the 'strictly necessary' or 'transmission' exemptions to consent under select circumstances.

"Ultimately, it is thus the purpose and the specific implementation or processing being achieved that must be used to determine whether or not a cookie can be exempted," it said.

"The general approach to persistent cookies appears to be that consent is almost always needed," said Scanlon. "This definitely is the Article 29 Working Party's opinion in respect of authentication cookies where it argues that just because you consent to a website remembering your details once it does not mean that in the future you may not wish to visit that site again anonymously."

Scanlon said that the Working Party's opinion on multipurpose and flash cookies also provides useful guidance to website operators.

"For multipurpose cookies, each and every purpose of the cookie must be considered," Scanlon said. "Only if each purpose is exempted, will the 'strictly necessary' exemption apply. But on a good note for business, the Article 29 Working Party has confirmed that this does not mean that separate consents for each cookie or each purpose is required. A single point of consent is sufficient."

"A key point the Working Party made on flash cookies served during particular web sessions is that if websites' flash cookies have embedded additional information not strictly necessary for the purpose of making video or other flash content available, then consent will be required for those cookies," he said.

The Working Party's opinion said that 'social plug-in tracking cookies' need to be consented to by users unless the users are actively logged-in to those social networks.

"The use of third party social plug-in cookies for other purposes than to provide a functionality explicitly requested by their own members requires consent, notably if these purposes involve tracking users across websites," it said.

Scanlon said though that the Working Party had also "drawn a clear distinction" between tracking cookies in the social plug-in context and sharing cookies, which allow users to share content on websites with friends on social media, in a way that "places sharing cookies in the exempt list subject to conditions".

The Working Party said that EU law makers should consider amending the e-Privacy Directive, if the laws are ever "re-visited in the future", to create a new exemption to consent "for cookies that are strictly limited to first party anonymised and aggregated statistical purposes."

It added that "technical solutions" currently available and also in development stage could "effectively apply privacy by design" in order to determine users' consent to third-party cookies.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ellison: Sparc M7 is Oracle's most important silicon EVER
'Acceleration engines' key to performance, security, Larry says
Linux? Bah! Red Hat has its eye on the CLOUD – and it wants to own it
CEO says it will be 'undisputed leader' in enterprise cloud tech
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Hey, what's a STORAGE company doing working on Internet-of-Cars?
Boo - it's not a terabyte car, it's just predictive maintenance and that
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.