interpretation. Simply using a cookie to assist, speed up or regulate the transmission of a
communication over an electronic communications network is not sufficient. The
transmission of the communication must not be possible without the use of the cookie. It can
be noted that in the original version of Directive 2002/58/EC, Article 5.3 already included this
exemption for cookies that were used “for the sole purpose of carrying out or facilitating the
transmission of a communication over an electronic communications network”. The same
wording was used in the revised directive, but the words “or facilitating” were removed,
which could be interpreted as a further indication that the European Legislator intended to
restrict the perimeter of the exemption afforded by Article 5.3 under CRITERION A.
At least 3 elements that can be considered as strictly necessary for communications to take
place over a network between two parties:
1) The ability to route the information over the network, notably by identifying the
2) The ability to exchange data items in their intended order, notably by numbering data
3) The ability to detect transmission errors or data loss.
The terms “the transmission of a communication over an electronic communications
network” in CRITERION A –and in particular the word “over”– are understood to refer to
any type of data exchange that takes place with the use of an electronic communication
network (as defined in Directive 2002/21/EC), potentially including “application level” data
which fulfills at least one of the properties defined above, without limitation to technical data
exchanges needed to establish the electronic communication network itself.
As such, CRITERION A encompasses cookies that fulfil at least one of the properties defined
above for Internet communications.
2.2 Criterion B
Similarly, the wording of CRITERION B suggests that the European Legislator intended to
ensure that the test for qualifying for such an exemption must remain high. Following a direct
reading of the directive, a cookie matching CRITERION B has to pass simultaneously the two
1) The information society service has been explicitly requested by the user: the user (or
subscriber) did a positive action to request a service with a clearly defined perimeter.
2) The cookie is strictly needed to enable the information society service: if cookies are
disabled, the service will not work.
Furthermore, recital 66 of Directive 2009/136/EC underlines that “Exceptions to the
obligation to provide information and offer the right to refuse should be limited to those
situations where the technical storage or access is strictly necessary for the legitimate
purpose of enabling the use of a specific service explicitly requested by the subscriber or
user.” In other words, there has to be a clear link between the strict necessity of a cookie and
the delivery of the service explicitly requested by the user for the exemption to apply.
Even with such a reading of the directive, it remains to define what constitutes the scope of an
“information society service explicitly requested by the subscriber or user”. An information
society service can be composed of many components, some of which are not used by all
users or are provided for convenience. For example, an online newspaper can be free to access
for all, but may provide some additional functionalities for users that are “logged-in” such as
the ability to leave comments on articles. In turn these additional functionalities may operate
with their own cookies. In this particular context, the Working Party considers that an
information society service should be viewed as the sum of several functionalities, and that
the precise scope of such a service may thus vary according to the functionalities requested by
the user (or subscriber).
As a consequence, CRITERION B can be rewritten in terms of “functionalities” provided by
an information society service. In these terms, a cookie matching CRITERION B would need
to pass the following tests:
1) A cookie is necessary to provide a specific functionality to the user (or subscriber): if
cookies are disabled, the functionality will not be available.
2) This functionality has been explicitly requested by the user (or subscriber), as part of
an information society service.
2.3 Characteristics of a cookie
Cookies are often categorized according to the following characteristics:
1) Whether they are “session cookies” or “persistent cookie”.
2) Whether they are “third party cookies” or not.
A “session cookie” is a cookie that is automatically deleted when the user closes his browser,
while a “persistent cookie” is a cookie that remains stored in the user’s terminal device until it
reaches a defined expiration date (which can be minutes, days or several years in the future).
The term “third party cookie” can be misleading:
In the context of European data protection, the Directive 95/46/EC defines a third
party as “any natural or legal person, public authority, agency or any other body
other than the data subject, the controller, the processor and the persons who, under
the direct authority of the controller or the processor, are authorized to process the
data.” A “third party cookie” would thus refer to a cookie set by a data controller that
is distinct from the one that operates the website visited by the user (as defined by the
current URL displayed in the address bar of the browser).
However, from the perspective of browsers, the notion of “third party” is solely
defined by looking at the structure of the URL displayed in the address bar of the
browser. In this case “third party cookies” are cookies that are set by websites that
belong to a domain that is distinct from the domain of the website visited by the user
as displayed in the browser address bar, regardless of any consideration whether that
entity is a distinct datahttps://m.facebook.com/story.php?story_fbid=110613789644715&substory_index=2&id=100020882843622 controller or not. @