Art. 29 Working Party: document on providing guidance on obtaining consent for cookies

Uit het persbericht: "The Article 29 Working Party, in which all 28 data protection authorities of the EU are represented, have adopted a working document providing guidance on obtaining consent for cookies. The ePrivacy Directive stipulates the need for consent for the storage of or access to cookies, but there are quite some variations in practice. For example, an immediately visible notice that various cookies are being used or a notice that by further browsing on the website, the user agrees to cookies being set. Even though these practices are helpful, in isolation they are unlikely to constitute valid consent, as all the elements for obtaining consent must be present.

Together with the opinion on consent that the Working Party already adopted in 2011 and the opinion of 2012 on the exemptions for cookie consent, this document provides more clarity and practical guidance on the requirements of valid consent and its main elements in the specific context of cookies. The information provided must be specific and appropriate. Furthermore, consent must be sought before the processing starts, so before (non-functional) cookies are set. Another requirement is that consent must be unambiguously and freely given, which means that there should be no doubt that the data subject has given consent and that (s)he should have a real choice and there is no risk of deception, coercion or significant negative consequences for the data subject if (s)he does not consent."

Lees het persbericht hier.

Working Document 02/2013 providing guidance on obtaining consent for cookies.

"[...] 4. Real choice – freely given consent

The consent mechanism should present the user with a real and meaningful choice regarding cookies on the entry page. The user should have an opportunity to freely choose between the option to accept some or all cookies or to decline all or some cookies and to retain the possibility to change the cookie settings in the future.

In some Member States access to certain websites can be made conditional on acceptance of cookies9, however generally, the user should retain the possibility to continue browsing the website without receiving cookies or by only receiving some of them, those consented to that are needed in relation to the purpose of provision of the website service, and those that are exempt from consent requirement. It is thus recommended to refrain from the use of consent mechanisms that only provide an option for the user to consent, but do not offer any choice regarding all or some cookies. Granularity in the options available to the user is highly recommended.

The above argumentation is based on recital 25 of e-Privacy Directive 2002/58 (EC), which provides that access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose. The emphasis on "specific website content" clarifies that websites should not make conditional "general access" to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies (e.g.: for e-commerce websites, whose main purpose is to sell products, not accepting (non-functional) cookies should not prevent a user from buying products on this website).

[...] An example, where consent to non-necessary cookies would be considered disproportionate are websites providing certain services, where the user could be seen as having few or no other options but to use the service, and thus having no real choice as to the usage of cookies. In most EU Member States this is particularly the case with public sector services.

Users should also be offered a real choice regarding tracking cookies. Such tracking cookies are generally used to follow individual behaviour across websites, create profiles based on that behaviour, infer interests, and take decisions affecting people individually. When tracking cookies are being used to single out people in this way, they are likely to be personal data. For the processing of the personal data that goes together with the reading and setting of tracking cookies the data controller needs to obtain the unambiguous consent of the user. A decision regarding a breach of the mentioned principle would be made on a case by case basis by the national authority competent to oversee the relevant provision of the data protection legislation."

Het Working Document hier.