What data each cookie holds
The type of cook- session or persistent
If it is persistent, how long is its lifespan
Is it a third party cookie, and if so, who is setting it
What does the Directive state?
The language of the Directive is critical because as the Status Chart indicates, manymember states have either adopted the language of the Directive verbatim or close to it.Article 5(3) of the Directive states “[a] person shall not store or gain access to informationstored, in the terminal equipment or a subscriber or user unless the requirements of paragraph (2) are met...” those requirements being that the user is provided with “clear andcomprehensive information” about the information and the purposes of the storage of or access to, that information, and has given his or her “consent.”
There are common exemptions member states have adopted from the requirement to provide information and obtain consent such as non-applicability to cookies whose purposeis “for the sole purpose of carrying out the transmission or a communication over anelectronic communications network; or where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.”
Examples of the types of exempted cookies in certain member states (without exclusion of other possibly exempted cookies):
Secure login session, designed to identify the user once he/she has logged-in to aninformation society service and is necessary to recognize him/her, maintaining theconsistency of the communication with the server over the communicationnetwork.
User session, (SessionID) that allows tying together the actions of a user when thisis necessary to provide the service he/she requested.
Shopping basket, used to store the reference of items the user has selected byclicking on a button (e.g. “add to my shopping cart”). This cookie is necessary to provide an information society service explicitly requested by the user.
, 2011, pg. 13.
Article 29 Data Protection Working Party, “Opinion 16/2011 on EASA/IAB Best PracticeRecommendation on Online Behavioral Advertising,” 02005/11/EN/ WP 188, adopted on 08December 2011, pg. 8: http://ec/europa.eu/justice/data-protection/article-29documentation/opinion-recommendation/files/2011/wp188_en.pdf
Privacy and Electronic Communications (EC Directive) Regulations 2003, no. 2426, Reg. 6.
§5(3) of the revised e-Privacy Directive, 2002/58/EC.
at Article 29 Data Protection Working Party, “Opinion 16/2011,” pg. 8.
at pg. 9.
Guidance from the French DPA CNIL (Translated into English), “are all cookies concerned,”December 20
at Article 29 Data Protection Working Party, “Opinion 16/2011,” pg. 9.