EU cookie law - Third party session cookie

Tag: cookies , session-cookies Author: sujinchao222 Date: 2012-07-16

I'm confused about the EU Cookie law regarding third party session cookies.

We're building a plugin that loads HTML from a different domain (our server) than the surrounding website. So, in essence it's a widget website owners can plug into their websites.

This widget needs to store session data with a session cookie. Is this allowed? If so, do I need consent?

The need for consent does not "apply to the technical storage of, or access to, information (...) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user". As is stands, the consensus on the tubes is that all "session cookies" are safe.

Best Answer

It's the website owner using your plug-in that would need to seek consent, not you as the widget owner / cookie domain.

However, this doesn't mean that as a producer you should just shrug your shoulders and get on with it, you should provide information about your plug-in's cookie use that the website owner can refer to.

It would be helpful if you wrote this for consumption by a non technical audience, and you could submit details of your cookie to too to allow end users to find the detail they need to include in their privacy statement about your cookie.

This answer is based in this experience:

We at produce a solution for non-technical site owners that includes policy, banner, and an AUDIT that spiders through up to 250 pages of a site. It's the audit that will find your cookie, find that it is not recognised, suggest it is 'probably' a session cookie, but that the owner should fill out the details manually.

The audit will report your cookie's domain so it is likely that in tracking it down owners will contact you. It would be wise to have the information to hand, and ideally including a statement that you are not collating/holding those details.

It is true that 'necessary' cookies are exempt, BUT there is an educational bias to the legislation that means that any consent (implied or explicit) must be 'informed', and the onus to inform (i.e. educate) is with the owners and designers.

So to that end not all session cookies are 'safe', their use and presence should ideally be described, and at a reading level that is appropriate to leave the reader 'informed'.

Hope that helps, it is 'allowed', it's not your responsibility to report its use, but as a good developer it would be appropriate to provide information as to purpose and intent.



This was very helpful!

Other Answer1

If and until the eurocrats get round to it (and being unable to find alternative proposals), may I humbly submit the following graphics as convention in the hope that the first three would require no further explanation (perhaps use the image 'title=""' ), and the last as a link to policy. 1) No Cookies 2) Session Cookie Only 3) Cookie For Navigation Only 4) Additional Information Held.

APPARENTLY I NEED reputation points to post images. Perhaps someone can do the honours. Images at If you feel better graphics can be submitted, lets leave it for a month or so and let admin decide.