When is a coo­kie “strict­ly necessary”?

New state­ments from the super­vi­so­ry aut­ho­ri­ties in Ger­ma­ny and Luxembourg

What are the requi­re­ments for pla­cing web­site coo­kies on com­pu­ters? This ques­ti­on, which has been the sub­ject of much dis­cus­sion and con­tro­ver­sy sin­ce the ePri­va­cy Direc­ti­ve, has come into shar­per focus again in Ger­ma­ny with the ent­ry into for­ce of the Telecom­mu­ni­ca­ti­ons Tele­me­dia Data Pro­tec­tion Act (TTDSG). In princip­le, with respect to con­sent for pla­cing coo­kies, a dis­tinc­tion must be made bet­ween “strict­ly necessa­ry” coo­kies in the terms of Arti­cle 4(3), Sen­tence 2, Alter­na­ti­ve 2 of the ePri­va­cy Direc­ti­ve and other coo­kies. While no con­sent is requi­red for strict­ly necessa­ry coo­kies, con­sent must be given for all other coo­kies in advan­ce in com­pli­an­ce with the rele­vant requi­re­ments of Arti­cles 4(11) and 7 GDPR.

In their cur­rent state­ments on the ent­ry into for­ce of the TTDSG, some Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties take a strict view and, as the fol­lowing over­view shows, only assu­me that coo­kies are “strict­ly necessa­ry” in nar­row excep­tio­nal cases:

  • Ham­burg Data Pro­tec­tion Aut­ho­ri­ty (only in Ger­man): “Accord­ing to the wor­d­ing, the excep­ti­ons are to be inter­pre­ted nar­row­ly. Para­graph 2, No. 2, for examp­le, con­tains the phra­se ’strict­ly necessa­ry’, which, in light of the legis­la­ti­ve intent, is to be unders­tood as a tech­ni­cal, but not an eco­no­mic neces­si­ty. As a rule, the­re­fo­re, mea­su­ring ran­ge, user tracking for adver­ti­sing pur­po­ses, etc. are not strict­ly necessa­ry for the pro­vi­si­on of a tele­me­dia ser­vice and the­re­fo­re requi­re con­sent in accordance with the TTDSG.”
  • Data pro­tec­tion super­vi­so­ry Aut­ho­ri­ty of Sax­o­ny (only in Ger­man): “Excep­ti­ons to this con­sent requi­re­ment are nar­row­ly limi­ted to strict neces­si­ty, enab­ling the pro­vi­der to pro­vi­de a tele­me­dia ser­vice express­ly reques­ted by the user.”
  • Ber­lin Data Pro­tec­tion Super­vi­so­ry Aut­ho­ri­ty (only in Ger­man): “Con­sent is not requi­red by way of excep­ti­on only if the sto­rage of and access to infor­ma­ti­on in the ter­mi­nal equip­ment is strict­ly necessa­ry in order to pro­vi­de a tele­me­dia ser­vice express­ly reques­ted by the users. This is the case, for examp­le, with a coo­kie used to store items from an online store in a shop­ping cart.”
  • Data Pro­tec­tion Super­vi­so­ry Aut­ho­ri­ty of Lower Sax­o­ny (only in Ger­man): “For tele­me­dia pro­vi­ders, the­re is an exemp­ti­on in § 25(2)2 TTDSG. […] Sin­ce this is an excep­ti­on, a nar­row under­stan­ding is gene­ral­ly to be assu­med, so that the­re will be only a few coo­kies and third-party ser­vices that can be used on the web­site without consent.”
  • Data Pro­tec­tion Super­vi­so­ry Aut­ho­ri­ty of North Rhine-Westphalia (only in Ger­man): “Con­sent is to be deter­mi­ned by the rules of the Gene­ral Data Pro­tec­tion Regu­la­ti­on. Howe­ver, excep­ti­ons to this con­sent are con­tai­ned in § 25(2) TTDSG. This exclu­des strict­ly func­tio­n­al coo­kies, such as shop­ping cart coo­kies or fraud pre­ven­ti­on systems.”

Howe­ver, sin­ce the ePri­va­cy Direc­ti­ve repres­ents a har­mo­ni­sa­ti­on of Euro­pean legis­la­ti­on, when asses­sing the neces­si­ty of a coo­kie, the opi­ni­ons of the Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and the recom­men­da­ti­ons of the Ger­man Con­fe­rence on Data Pro­tec­tion for Busi­ness announ­ced for ear­ly 2022 are of inte­rest, as is the assess­ment of other Euro­pean super­vi­so­ry aut­ho­ri­ties, such as the Spa­nish (PDF), French (PDF only in French) and Irish (PDF) regu­la­to­ry authorities.

The Luxem­bourg data pro­tec­tion super­vi­so­ry aut­ho­ri­ty now can be coun­ted among the super­vi­so­ry aut­ho­ri­ties that have issued an assess­ment in this regard. In its recent­ly publis­hed Gui­de to coo­kies and other tra­ckers (PDF only in French), the Com­mis­si­on natio­na­le pour la pro­tec­tion des don­nées (CNPD) pro­vi­des prac­ti­cal advice on informing web­site visi­tors and designing coo­kie ban­ners and con­sent mana­gers, as well as an opi­ni­on on the need for pri­or con­sent to the pla­cing of coo­kies. In some respects, the CNPD’s assess­ment devia­tes con­si­der­ab­ly from the “Ger­man line”.

CNPD gui­de­li­nes on the need for consent

Accord­ing to the CNPD, the fol­lowing coo­kies can be con­si­de­red “strict­ly necessary”:

  • Coo­kies stored to record the coo­kie selec­tion by the user.
  • Coo­kies used to authen­ti­ca­te the user, pro­vi­ded the coo­kie ser­ves this pur­po­se only. Howe­ver, accord­ing to the CNPD, this is not the case for the vast majo­ri­ty of coo­kies on social networks.
  • Coo­kies to remem­ber items added to a shop­ping cart.
  • Coo­kies used to store respon­ses in a con­ta­ct form.
  • Coo­kies used to stream con­tent, pro­vi­ded the user has expres­sed his or her will to access the content.
  • Coo­kies for the per­so­na­li­sa­ti­on of ser­vices, such as view and lan­guage set­tings. Howe­ver, adver­ti­sing per­so­na­li­sa­ti­on does not fall into this category.
  • Coo­kies used for secu­ri­ty pur­po­ses, pro­vi­ded they are used exclu­si­ve­ly for secu­ri­ty pur­po­ses and exclu­si­ve­ly for the ope­ra­tor of the web­site or application.
  • Coo­kies used for sta­tis­ti­cal pur­po­ses, pro­vi­ded the ope­ra­tor of the web­site pro­ves that the use of cer­tain ana­ly­ti­cal coo­kies is necessa­ry for the pro­vi­si­on of the ser­vice, for examp­le, becau­se they are nee­ded to eva­lua­te ser­ver capa­ci­ty or to detect ope­ra­ting pro­blems. For this pur­po­se, the CNPD belie­ves that coo­kies must meet at least the fol­lowing requirements:

1. Coo­kies may not be pas­sed on to third par­ties or lin­ked to other data.

2. Coo­kies must also not pro­vi­de a com­pre­hen­si­ve record of the use of a page, nor a cross-website record.

3. Coo­kies may only be used by the web­site ope­ra­tor to crea­te anony­mous statistics.

In con­trast, the fol­lowing coo­kies are not strict­ly necessa­ry and requi­re pri­or con­sent accord­ing to the CNPD:

  • Coo­kies used to track the user across devices.
  • Coo­kies used to crea­te a user pro­fi­le, for examp­le by collec­ting the user’s interests.
  • Coo­kies used to per­so­na­li­se advertising.
  • Coo­kies used for geo­lo­ca­ti­on, i.e. iden­ti­fy­ing the geo­gra­phic loca­ti­on of a user.
  • Social media plugins, such as a “Like” but­ton, if the plugin reli­es on the use of cookies.

The CNPD’s view on social media plugins is nota­ble, as the Arti­cle 29 Working Par­ty and some data pro­tec­tion super­vi­so­ry aut­ho­ri­ties that fol­low it (e.g. the Spa­nish, Bel­gi­an and Greek aut­ho­ri­ties) do not men­ti­on this limi­ta­ti­on. In addi­ti­on, it is inte­res­ting to note that the CNPD con­si­ders ana­ly­ti­cal coo­kies to be strict­ly necessa­ry under the afo­re­men­tio­ned con­di­ti­ons and thus not sub­ject to con­sent. Regar­ding the requi­red con­sent its­elf, the CNPD unders­cores in par­ti­cu­lar the requi­re­ment to pro­vi­de users pri­or infor­ma­ti­on, which is to be mea­su­red in terms of Arti­cles 12 and 13 GDPR. 

Future regu­la­ti­on through an EU ePri­va­cy Regulation

The some­ti­mes dif­fe­ring views of the respec­ti­ve data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are based to a not incon­si­derable degree on the diver­gent natio­nal imple­men­ta­ti­on of the ePri­va­cy Direc­ti­ve (PDF) in the various EU mem­ber sta­tes. This has also been reco­gnis­ed by the Euro­pean Com­mis­si­on, which alrea­dy in 2017 pre­sen­ted a Pro­po­sal for an ePri­va­cy Regu­la­ti­on (PDF). After some cri­ti­cism and years of tug-of-war  bet­ween the mem­ber sta­tes, the cur­rent draft is now rea­dy for the tria­lo­gue bet­ween the Euro­pean Com­mis­si­on, the Coun­cil of the Euro­pean Uni­on and the Euro­pean Parliament.

The CNPD also expres­ses in its gui­de­li­nes the hope that this Regu­la­ti­on will lead to a grea­ter con­for­mi­ty of the requi­re­ments for coo­kie with the rules of the GDPR and that the dif­fe­ren­ces in inter­pre­ta­ti­on and imple­men­ta­ti­on bet­ween the mem­ber sta­tes and the respec­ti­ve natio­nal aut­ho­ri­ties will be eliminated.

Sum­ma­ry

It will still be some time befo­re the ePri­va­cy Regu­la­ti­on brings about uni­form regu­la­ti­on. In view of the nume­rous opi­ni­ons and the mul­ti­tu­de of views, it is important for web­site ope­ra­tors to know the opi­ni­ons of the respec­ti­ve natio­nal super­vi­so­ry aut­ho­ri­ties and to imple­ment them. This is all the more true sin­ce coo­kies remain the focus of data pro­tec­tion aut­ho­ri­ties. Howe­ver, when con­si­de­ring whe­ther or not con­sent is requi­red, a strong case can be made for also taking into account the opi­ni­ons of other Euro­pean super­vi­so­ry aut­ho­ri­ties. Final­ly, it should not work to the detri­ment of com­pa­nies when a Euro­pean direc­ti­ve leads to a frag­men­ta­ti­on of the legal requi­re­ments for con­sent to coo­kies ins­tead of har­mo­ni­sa­ti­on. In this light, grea­ter coör­di­na­ti­on among the com­pe­tent super­vi­so­ry aut­ho­ri­ties in Euro­pe would also be desirable.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.