Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain web users’ consent for the storage of, or access to, cookies and similar technologies. Under EU data protection law, consent must satisfy certain conditions in order to be valid, as explained in the Working Party’s Opinion of July 13, 2011 on the concept of consent (i.e., consent must be “unambiguous,” “specific and informed,” and “freely given” “before the processing starts”).
The Working Document specifies the main components of cookie consent mechanisms in order to satisfy those conditions in each EU Member State.
According to the Working Document, a consent mechanism should include each of the following elements:
Consent Should Be Sought Before Cookies Are Set or Read
According to the Working Document, this means that website operators must implement a solution in which no cookies are placed on the user’s device (other than those that do not require the user’s consent such as those cookies that are strictly necessary for the operation of the website) before that user has expressed his or her consent.
The Working Document clarifies that websites should not condition general access to their site on the acceptance of all cookies. Users should be given a real choice regarding cookies that are not needed in relation to the purpose of provision of the website service, but instead only provide additional benefits to the website operator. The Working Document gives the example of e-commerce websites and notes that not accepting non-functional cookies should not prevent a user from buying products on these websites. Users also should be offered a real choice regarding tracking cookies generally used to follow individual behavior across websites, create profiles based on that behavior, infer interests, and take decisions affecting people individually.