When is a cookie "strictly necessary"?

Stefan Hessel

New statements from the supervisory authorities in Germany and Luxembourg

What are the requirements for placing website cookies on computers? This question, which has been the subject of much discussion and controversy since the ePrivacy Directive, has come into sharper focus again in Germany with the entry into force of the Telecommunications Telemedia Data Protection Act (TTDSG). In principle, with respect to consent for placing cookies, a distinction must be made between "strictly necessary" cookies in the terms of Article 4(3), Sentence 2, Alternative 2 of the ePrivacy Directive and other cookies. While no consent is required for strictly necessary cookies, consent must be given for all other cookies in advance in compliance with the relevant requirements of Articles 4(11) and 7 GDPR.

In their current statements on the entry into force of the TTDSG, some German data protection supervisory authorities take a strict view and, as the following overview shows, only assume that cookies are "strictly necessary" in narrow exceptional cases:

  • Hamburg Data Protection Authority (only in German): "According to the wording, the exceptions are to be interpreted narrowly. Paragraph 2, No. 2, for example, contains the phrase 'strictly necessary', which, in light of the legislative intent, is to be understood as a technical, but not an economic necessity. As a rule, therefore, measuring range, user tracking for advertising purposes, etc. are not strictly necessary for the provision of a telemedia service and therefore require consent in accordance with the TTDSG."

  • Data protection supervisory Authority of Saxony (only in German): "Exceptions to this consent requirement are narrowly limited to strict necessity, enabling the provider to provide a telemedia service expressly requested by the user."

  • Berlin Data Protection Supervisory Authority (only in German): "Consent is not required by way of exception only if the storage of and access to information in the terminal equipment is strictly necessary in order to provide a telemedia service expressly requested by the users. This is the case, for example, with a cookie used to store items from an online store in a shopping cart."

  • Data Protection Supervisory Authority of Lower Saxony (only in German): "For telemedia providers, there is an exemption in § 25(2)2 TTDSG. [...] Since this is an exception, a narrow understanding is generally to be assumed, so that there will be only a few cookies and third-party services that can be used on the website without consent."

  • Data Protection Supervisory Authority of North Rhine-Westphalia (only in German): "Consent is to be determined by the rules of the General Data Protection Regulation. However, exceptions to this consent are contained in § 25(2) TTDSG. This excludes strictly functional cookies, such as shopping cart cookies or fraud prevention systems."

However, since the ePrivacy Directive represents a harmonisation of European legislation, when assessing the necessity of a cookie, the opinions of the German data protection supervisory authorities and the recommendations of the German Conference on Data Protection for Business announced for early 2022 are of interest, as is the assessment of other European supervisory authorities, such as the Spanish (PDF), French (PDF only in French) and Irish (PDF) regulatory authorities.

The Luxembourg data protection supervisory authority now can be counted among the supervisory authorities that have issued an assessment in this regard. In its recently published Guide to cookies and other trackers (PDF only in French), the Commission nationale pour la protection des données (CNPD) provides practical advice on informing website visitors and designing cookie banners and consent managers, as well as an opinion on the need for prior consent to the placing of cookies. In some respects, the CNPD’s assessment deviates considerably from the "German line".

CNPD guidelines on the need for consent

According to the CNPD, the following cookies can be considered "strictly necessary":

  • Cookies stored to record the cookie selection by the user.

  • Cookies used to authenticate the user, provided the cookie serves this purpose only. However, according to the CNPD, this is not the case for the vast majority of cookies on social networks.

  • Cookies to remember items added to a shopping cart.

  • Cookies used to store responses in a contact form.

  • Cookies used to stream content, provided the user has expressed his or her will to access the content.

  • Cookies for the personalisation of services, such as view and language settings. However, advertising personalisation does not fall into this category.

  • Cookies used for security purposes, provided they are used exclusively for security purposes and exclusively for the operator of the website or application.

  • Cookies used for statistical purposes, provided the operator of the website proves that the use of certain analytical cookies is necessary for the provision of the service, for example, because they are needed to evaluate server capacity or to detect operating problems. For this purpose, the CNPD believes that cookies must meet at least the following requirements:

1. Cookies may not be passed on to third parties or linked to other data.

2. Cookies must also not provide a comprehensive record of the use of a page, nor a cross-website record.

3. Cookies may only be used by the website operator to create anonymous statistics.

In contrast, the following cookies are not strictly necessary and require prior consent according to the CNPD:

  • Cookies used to track the user across devices.

  • Cookies used to create a user profile, for example by collecting the user's interests.

  • Cookies used to personalise advertising.

  • Cookies used for geolocation, i.e. identifying the geographic location of a user.

  • Social media plugins, such as a "Like" button, if the plugin relies on the use of cookies.

The CNPD's view on social media plugins is notable, as the Article 29 Working Party and some data protection supervisory authorities that follow it (e.g. the Spanish, Belgian and Greek authorities) do not mention this limitation. In addition, it is interesting to note that the CNPD considers analytical cookies to be strictly necessary under the aforementioned conditions and thus not subject to consent. Regarding the required consent itself, the CNPD underscores in particular the requirement to provide users prior information, which is to be measured in terms of Articles 12 and 13 GDPR.   

Future regulation through an EU ePrivacy Regulation

The sometimes differing views of the respective data protection supervisory authorities are based to a not inconsiderable degree on the divergent national implementation of the ePrivacy Directive (PDF) in the various EU member states. This has also been recognised by the European Commission, which already in 2017 presented a Proposal for an ePrivacy Regulation (PDF). After some criticism and years of tug-of-war  between the member states, the current draft is now ready for the trialogue between the European Commission, the Council of the European Union and the European Parliament.

The CNPD also expresses in its guidelines the hope that this Regulation will lead to a greater conformity of the requirements for cookie with the rules of the GDPR and that the differences in interpretation and implementation between the member states and the respective national authorities will be eliminated.

Summary

It will still be some time before the ePrivacy Regulation brings about uniform regulation. In view of the numerous opinions and the multitude of views, it is important for website operators to know the opinions of the respective national supervisory authorities and to implement them. This is all the more true since cookies remain the focus of data protection authorities. However, when considering whether or not consent is required, a strong case can be made for also taking into account the opinions of other European supervisory authorities. Finally, it should not work to the detriment of companies when a European directive leads to a fragmentation of the legal requirements for consent to cookies instead of harmonisation. In this light, greater coordination among the competent supervisory authorities in Europe would also be desirable.

[December 2021]