Using VOSA cookies
A cookie is a small piece of text that is sent to your browser from a Web site you visit. It helps the site remember information about your visit, such as. your preferred language and other settings. This makes your next visit easier and the site more usable. Cookies plays an important role. Without them it would be much more frustrating to use it.
ABOUT EU-LAW USING COOKIES ON EUROPE (ePrivacy Directive)
A cookie is a simple text file that is stored on a user’s computer or mobile device when visiting certain websites.
What is a cookie?
A cookie is a text file no bigger than 4k that a website asks your browser to store on your computer or mobile device. This allows the website to “remember” your actions or preferences over a period of time.
Most browsers support cookies however users can set their browsers to decline them and can also delete them whenever they like.
What are they used for?
- to identify users
- to remember the user’s custom preferences
- to help complete a task without having to re-enter information when browsing from one page to another or when visiting the site again sometime later
Cookies can also be used for online behavioral target advertising and show adverts relevant to something that the user searched for in the past.
How are they used?
What are the different types of cookies?
A cookie can be classified by its lifespan and the domain to which it belongs. By lifespan, a cookie is either a:
- session cookie which is erased when the user closes the browser or
- persistent cookie which remains on the user’s computer/device for a pre-defined period of time.
As for the domain to which it belongs, there are either:
- first-party cookies which are set by the web server of the visited page and share the same domain
What does EU legislation say?
It is important that EUROPA follows the Commission’s guidelines on privacy and data protection and informs users that cookies are not being used in an intrusive way.
The ePrivacy directive and more specifically Article 5(3) requires prior informed consent for storage or access to information stored on a user’s terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.
For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the individual’s wishes.
However, some cookies are exempt from this requirement and so you don’t have to ask for consent if the cookie:
- is used for the sole purpose of carrying out the transmission of a communication and,
- is strictly necessary in order for the provider of an information society service explicitly required by the user to provide the service.
Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29(698 kB)opinion:
- user input cookies (session-id) such as first-party cookies to keep track of the user’s input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- authentication cookies, to identify the user once he has logged in, for the duration of a session
- user-centric security cookies, used to detect authentication abuses, for a limited persistent duration
- multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
- load balancing cookies, for the duration of session
- user interface customization cookies such as language or font preferences, for the duration of a session (or slightly longer)
- third-party social plug-in content sharing cookies, for logged-in members of a social network.
Use on EUROPA
- If a cookie is essential, asses how intrusive your cookie is: what data does each cookie hold, is it linked to other information held about the user? Is its lifespan appropriate to its purpose? What type of cookie is it? Is it a first or a third-party setting the cookie? Who controls the data?
- Evaluate for each cookie if informed consent is required or not:
- first-party session cookies do not require informed consent
- first-party persistent cookies require informed consent. Use only when strictly necessary. The expiry period must not exceed one year
- all third-party session and persistent cookies require informed consent. These cookies should not be used on EUROPA sites as the data collected may be transferred beyond the EU’s legal jurisdiction.
- Gain consent from the users, if required, before storing cookies by implementing the Cookie Consent Kit in all the pages of any website using cookies that require informed consent.
- the reason why they are being used, (e.g. to remember users’ actions, to identify the user, to collect traffic information)
- if they are essential for the website or a given functionality to work or if they aim to enhance the performance of the website
- the types of cookies used (e.g. session or permanent, first or third-party)
- who controls/accesses the cookie-related information (website or third party)
- that the cookie will not be used for any purpose other than the one stated
- how consent can be withdrawn.
A standard template to create your own cookie notice page(236 kB) is available. If a site does not use any cookies, the dedicated “cookie notice” page should use the template and just mention this. If your site uses the same cookies as the Commission homepage, you can link to the top level cookie notice.
Cookie Consent Kit
This solution provides the following functionalities:
- a wizard to declare your cookies and the link to your cookies notice page
- a corporate consent cookie to remember the choice of the user across websites
- a template for the cookie notice page.
Read the full documentation to implement the Cookie Consent Kit.
Download the template to create your own cookie notice page(236 kB).
- The cookie header banner displayed on all pages of a site using cookies that require informed consent.
- A link to the specific cookie notice page is also available.
- This element of the page will only display its content once the user chooses to accept the site’s cookies.
Guidelines and References
Directive 2009/136/EC (ePrivacy Directive)
Regulation (EC) 45/2001 (Data protection)
EU advisory body on data protection – Working Party 29:
- Opinion 15/2011 on the definition of consent(206 kB)
- Opinion 04/2012 on cookie consent exemptions(698 kB)
Kilde. European Commission