ARTICLE 29 DATA PROTECTION WORKING PARTY
1676/13/EN WP 208
Working Document 02/2013 providing guidance on obtaining consent for cookies
Adopted on 2 October 2013
This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Directorate General Justice, B-1049 Brussels, Belgium, Office No MO-59 02/013. Website: http://ec.europa.eu/justice/data-protection/index_en.htm
As from January 2013. As described in Opinion 04/2012, the term cookie encompasses a range of technologies but centred on the HTTP cookie. 3 E.g. social plug-in tracking cookies, third party advertising or analytics as mentioned in the Cookie Consent Exemption Opinion. 2
Opinion 15/2011 on the definition of consent. Also, the proposed text of the future EU Regulation on data protection refers to consent as signified by “clear affirmative action”. 6 Clarifications in the Opinion 2/2010 on Online Behavioural Advertising. 5
Opinion 15/2011 on the definition of consent. For further clarifications on exemptions see Cookie Consent Exemption Opinion.
processing of personal data10, in this case data protection rules clearly apply. One of the principles that need to be taken into account is that the processed data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (Article 6.1(c)). If certain cookies are therefore not needed in relation to the purpose of provision of the website service, but only provide for additional benefits of the website operator, the user should be given a real choice regarding those cookies. The types of cookies that might be disproportionate in relation to the purpose of the website may vary depending on the context. An example, where consent to non-necessary cookies would be considered disproportionate are websites providing certain services, where the user could be seen as having few or no other options but to use the service, and thus having no real choice as to the usage of cookies. In most EU Member States this is particularly the case with public sector services11. Users should also be offered a real choice regarding tracking cookies. Such tracking cookies are generally used to follow individual behaviour across websites, create profiles based on that behaviour, infer interests, and take decisions affecting people individually. When tracking cookies are being used to single out people in this way, they are likely to be personal data. For the processing of the personal data that goes together with the reading and setting of tracking cookies the data controller needs to obtain the unambiguous consent of the user. A decision regarding a breach of the mentioned principle would be made on a case by case basis by the national authority competent to oversee the relevant provision of the data protection legislation.
Done at Brussels, on 2 October 2013 For the Working Party The Chairman Jacob KOHNSTAMM
As was clarified also by the Opinion 2/2010 on Online Behavioural Advertising In most EU Member States making access to public service websites conditional is not seen as lawful.