Cookies — the small, flat, and flavorsome baked sweet is everyone’s favorite. There is hardly anyone who dislikes them. However, we are here to discuss the cookies that are neither sweet nor appetizing. They are called the website or HTTP cookies. Cookies have been the center of many discussions ever since many data privacy laws have been enacted. Their rules and regulation have affected the way the cookies are being used on a website. No more days of using spying and tracking cookies without letting the users know and getting their consent for it. That is why see so many websites using cookie consent notices or banners.
There are a few confusions related to what type of cookies need consent from the users. In this article, we will try to clear it by breaking down the Working Party 29 Opinion 04/2012 on Cookie Consent Exemption.
To determine if a cookie is strictly necessary and is exempted from informed consent to be stored on the user’s device, it needs to meet at least one of two criteria: 1) the cookie solely used for data transmission over an electronic communication network, 2) the cookie is used for services explicitly requested by the user.
If the cookies do not meet any one of these two criteria, the website must inform its users about and gain their consent to use them.
CookieYes recognizes the strictly necessary category of cookies and auto-blocks the other cookies before getting user consent.
What are different types of cookies?
There are different types of cookies depending upon their purpose, duration, and source:
- Necessary or essential cookies: as the name suggests, these cookies are necessary for a website to function properly. Without these cookies, the website may not be able to provide many services that the users expect from it. For e.g. cookies that allow e-commerce websites to hold your items in the shopping cart.
- Non-necessary or non-essential cookies: these cookies are not necessary for a website for its basic functionality. If these cookies are disabled, the website will still function smoothly and the user can access its services. These often have a different purpose that is unrelated to the functionalities of the website. For e.g. Cookies set by Facebook pixel.
- First-party cookies: These are the cookies used by the website the user visits. Such cookies are often used for the functionalities of the website. For e.g. You do not need to log in to a website using a username and password on successive visits following your first visit login on the website. These are due to the cookies that the website stored on your browser to identify you.
- Third-party cookies: These are the cookies used by a service, tool, or website other than the website the user visits. Another party that uses these cookies often has their own purpose or they are in a contractual or technical agreement with the website the user visits. For e.g. When you search for a product on an e-commerce store, you will likely receive ads about it on another, un-related website. Such cookies track and monitor your online behavior for targeted advertising, marketing research, or third-party analytics.
The third-party cookies are most often referred to as tracking cookies and remain at the center of privacy risks when it comes to cookies. The guidelines of many data privacy laws have affected and regulated the use of third-party cookies.
- Session cookies: These are short-lived cookies that expire when the user session o a website is over or when the user closes the browser. For e.g. when you fill any online form, the website remembers the information you filled in when you move across the web pages. The session cookies are responsible for it.
- Persistent cookies: These are cookies with a longer lifespan ranging from days, weeks, months to even years. They remain on the user device until they reach their expiration date or the users clear them from the browser. For e.g. the cookies set by Google Analytics for measuring your website’s conversions and performance.
You can see that the categories of cookies may overlap with each other. For e.g. third-party cookies may also be session cookies or persistent cookies.
What is cookie consent?
For consent to be valid, it must be
- Informed: the users must have adequate information about it before giving consent
- Freely given: the users must have a free and genuine choice to give consent
- Specific: cookies with multiple purposes must seek different consent for the different purposes. An unbundled consent request is invalid. The users must have a granular opt-in option for selecting cookie categories.
- Unambiguous: The users must be able to give their consent via an explicit and affirmative action. Implied consent from non-affirmative actions such as scrolling through a webpage without interacting with the cookie consent notice is invalid
- Revocable: the users must be able to easily withdraw their consent at any time
- Demonstrable: you must be able to provide proof of cookie consent in case of an audit
Now, let us what are the criteria that exempt a cookie from obtaining consent and further understand it using some use-case scenarios.
Criteria for cookie consent exemption
Art 5.3 of the ePrivacy Directive allows the following criteria for using cookies without “informed consent:”
Criterion A: the cookie is used solely for “carrying out the transmission of a communication over an electronic communications network”.
It means that if any type of data exchange using an electronic communication network should not be possible without these cookies; then they do not require informed consent from the users to be loaded on their device.
Criterion B: the cookie is strictly necessary to provide a service “explicitly requested by the user”.
The service here is specifically mentioned as “information society service.” An information society service has many functionalities of a website, some of which are not used by all users and are conditional.
There are two statements that need to be true for criterion B:
- The specific functionality requires the cookie to be accessible to the user. If the cookies are disabled, then the functionality will not be available.
- The specific functionality has been explicitly requested by the user when subscribing to the information society service.
What about multipurpose cookies?
Some cookies have multiple purposes. Such cookies are only exempted from requiring consent if each purpose is individually exempted from consent.
For e.g. a cookie might be used for remembering user preferences as well as for tracking. Remembering user preferences are allowed to be exempted from consent. However, tracking is not. In such a case, it is better to use a different cookie for each purpose.
Cookie consent exemptions – case scenarios
We will analyze some cookie examples to determine if they meet criterion A or B.
These cookies meet criterion A or B and are exempted from informed consent.
The user-input cookies are most often “first-party” session cookies that expire when the user’s session on the website is over. They are typically used to remember the user’s input when filling online forms or keeping track of the items added to the shopping cart.
These cookies clearly meet criterion B. i.e. provide an information service explicitly requested by the user since they enter the details (forms) or click a button/link (“add to shopping cart”). Therefore, the user-input cookies are exempted from the consent.
When the users log in, the authentication cookies are used to identify them. These are usually session cookies that authenticate the users on successive visits to the website and gain access to authorized content of the website service. This service is explicitly requested by the user. For example, when the users log in to an online banking website, they specifically request access to services authorized to them, such as viewing bank account balance, transaction history, statements, and card details. Without this cookie, the users will have to provide their login credentials for each page.
These cookies must only be used for authenticating the users. Secondary purposes, such as tracking or advertising, are prohibited without consent.
Persistent authentication cookies are not exempted under criterion B. It is because the users expect to end the session once they close the browser. On their next visit, they will expect that they are anonymous but because of persistent authentication cookies, they are still logged in to the services. A simple “remember me” checkbox would suffice in this case to obtain consent from the users.
User-centric security cookies
User-centric security cookies are similar to authentication cookies as they are used for increasing the security of the service explicitly requested by the user. For e.g. cookies that detect repeated failed login attempts on a website. However, the cookie consent exemption does not extend to cookies that are used security of a website or third-party services not requested by the users.
User-centric security cookies are expected to have a longer expiration date.
Multimedia player session cookies
These are the session cookies that store technical data needed to play video, audio, or any media content. The guideline says that when the users visit websites that contain video or audio content, they explicitly request these services. Therefore, multimedia player session cookies are exempted from consent under criterion B.
However, to use this exemption, the websites must avoid adding additional information to the cookies that are not necessary for playing the media content.
Load balancing session cookies
Load balancing refers to distributing the processing of web servers over different machines instead of one. The load balancing is performed via a load balancer. The requests from the users are forwarded to a gateway, which then looks for the available servers. The session cookie has information to identify the specific servers for the load balancer to forward the requests from the specific users.
These cookies are solely used for identifying the available internal servers and carry out the communication network. Hence, they are exempted from consent under criterion A.
UI customization cookies
User interface (UI) customization cookies are used to store a user’s preference related to the user interface of service across web pages. These services are explicitly requested by the users via affirmative action, such as clicking a button or ticking a checkbox.
The guideline gives two examples for UI customization cookies:
- Language preference cookies that remember the language selected by the users on a multilingual website.
- Result display preference cookies that remember the user’s preference related to their online search (e.g. the number of results per page).
Social plug-in content sharing cookies
Many social media platforms provide plugin modules for letting their users share the website content with their friends. The plugins that can be integrated into the website store cookies on the users’ devices to identify their users.
It is important to note here that the social plugins are for its “logged-in” members. For “logged-out” members or the users who are not members of the social network, explicit consent is needed for storing cookies on their devices. Therefore, such cookies need consent from those users.
Criterion B applies to “logged-in” members where these cookies are needed for the services requested by the users. Social plugin content sharing cookies are session cookies. For additional information or purposes or a longer expiration period, the websites must inform and obtain consent from the users on the social network platforms.
As the name suggests, these cookies are not exempted from consent as they do not meet criterion A or B. The website needs explicit consent from the users to store the cookies on the user devices.
Social plug-in tracking cookies
These are other types of cookies placed by social network platform plugins. However, unlike the content-sharing cookies, tracking cookies will track the users that include “logged-in,” “logged-out” and non-members for purposes like behavioral advertising or analytics.
Cookies with such purposes cannot be considered “strictly necessary” as these are not services explicitly requested by the users. If the tracking cookies are disabled, the users will still be able to access the functionalities of the website without any hindrance. Therefore, these cookies do not fall under criterion A or B, and hence, they need informed user consent to be stored on the user devices.
Third-party advertising cookies
Third-party cookies that are used for behavioral advertising and other purposes such as, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging, are not exempted from informed consent. These cookies do not fall under criterion A or B.
There are already any measures that the users can take to avoid data collection by these cookies. One such mechanism is “Do Not Track” (DNT) available on all major browsers. DNT is a setting that when activated, the browser sends a signal to every website the user visits to not track the user. The website on receiving the signal will then decide if it must stop storing third-party advertising cookies. Not all websites respect the DNT signal as the cookies serve many purposes.
There are many other technical solutions being developed. One such that has already been released is “Global Privacy Control.”
First party analytics cookies
This may come as a surprise since people usually refer to “first-party cookies” as necessary. However, not all of them are. There are analytics tools that use first-party cookies with the analytics analysis by another party. The other party may be a joint controller or processor depending on whether it uses the collected data for its own purpose or due to contractual or technical agreement.
These cookies, when disabled, do not hinder access to any functionalities of the website and they do not provide services explicitly requested by the users. Hence, they are not exempted from consent.
How CookieYes can help you?
CookieYes is a cloud-based SaaS for managing cookie consent for your website. Its host of features makes sure that you do not miss any aspect of cookie compliance as required by data privacy laws like GDPR, ePrivacy Directive (ePrivacy Regulation), and CCPA.
CookieYes cookie banners are fully customizable and you can add your unique style to match your website.
CookieYes has a vast database of cookies and it will auto-scan your website for cookies and add them to the list. It identifies the third-party cookies and auto-blocks them until the user gives their consent. You can manually add third-party cookie scripts (not blocked by CookieYes) so that the application can block them. So, you do not have to worry about third-party cookies getting stored on the user’s device without the user’s consent.
Apart from that, it auto-translates the banner content to your preferred language. It supports 24 languages spoken in the world. And you can also display the banner according to the location of the user.
CookieYes also lets you log the user consent for audit purposes.
And it does not stop there. There many more features that will make cookie compliance easy for you.