No need for informed consent for authentication and session-ID cookies

The EU Data Protection Authorities have analysed the exemptions to the requirement for informed consent in the e-Privacy Directive, and conclude that some cookies can be exempted from informed consent under certain conditions, if they are not used for additional purposes.

These cookies include session-ID cookies (used to keep track of the user’s input when filling online forms or as a shopping cart), multimedia player session cookies (used to store technical data needed to play back video or audio content), authentication cookies (used to identify the user once he/she has logged in), and user interface customisation cookies (used to signify for example language preferences).

Social plug-in tracking cookies, third-party cookies used for behavioural advertising and first party analytics cookies are not exempt from the consent requirement.  However, the EU Art. 29 Data Protection Working Party says that “first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymisation mechanisms that are applied to other collected identifiable information such as IP  addresses.”

The opinion of the EU Article 29 Working Party was published on 12 June 2012.

PL&B's 25th Annual International Conference in Cambridge 2-4 July 2012 will discuss the new cookie requirements and how companies are implementing them.