Alain Bensoussan
Are analytics cookies, i.e., cookies used to measure website audience, subject to the prior consent of Internet users? This article provides insights about the French and European views on this topic.
Background
Directive 2002/58/EC, as amended by Directive 2009/136/EC (known as the
e-Privacy Directive) has reinforced the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s (or subscriber’s) terminal device. Article 5.3 of the Directive allows cookies to be exempted from the requirement of informed consent, if they satisfy some criteria.
The question is, is this requirement applicable to analytics cookies, i.e., cookies used to measure website audience?
France
The French data protection authority, the CNIL, first said yes to the above question, recommending a strict approach of Article 32 II of the French Data Protection Act.
Article 32 II of the French Data Protection Act contains the requirement to obtain the consent of Internet users for the storage of information or access to information already stored in their terminal device, pursuant to the French Order of August 24, 2011, implementing into French law the European Directives on the processing of personal data and the protection of privacy.
However, following an Advertising Cookies Best Practices Guide published on April 10, 2012, by the French Direct Marketing Union (UFMD), the CNIL then adjusted its position to the practices implemented online. Now, the CNIL considers that, having regard to their purpose and their limited risk for privacy, such cookies may “be implemented without first obtaining the prior consent of data subjects”.
The CNIL nonetheless specified that the IP address used for geo-location purpose must be limited to the identification of the town of the Internet user and must be deleted or anonymized “to prevent any other use of such personal data or any cross-checking with other personal data”.
Europe
The EU Art. 29 Working Party has also dealt with analytics cookies in an opinion on cookie consent exemption dated June 7, 2012 (available here). European data supervisory authorities have analyzed cookies that can be exempted from the consent requirement under certain conditions.
The Art. 29 Working Party explained that while analytics cookies do not fall under the exemption as set forth in the e-Privacy Directive, it nonetheless considered that analytics cookies are not likely to create a privacy risk when they are strictly limited to first party (website publisher) aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards.
The Art. 29 Working Party pointed out that such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.
Lastly, the Art. 29 Working Party stated that should Directive 2002/58/EC be re-visited, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes.