In a nutshell, cookies are small pieces of data that are stored on users' computers during their "visits" to various websites on the World Wide Web, in order to, among other things, enable the website to identify the user for subsequent visits to the same website.
The Commissioner proceeded with setting out Section 99(5) of the Regulation of Electronic. Communications and Postal Services (Law 112(I)/2004), as amended, which provides that:
"(5) The storage of information or the acquisition of access to already stored information in the terminal equipment of a subscriber or user shall only be allowed if the subscriber or user concerned has given his consent, based on clear and comprehensive information, provided in accordance with the provisions of the Processing of Personal Data (Protection of the Individual) Laws of 2001 and 2003 (as repealed by the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018)), inter alia for processing purposes.
Provided that this shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.".
Accordingly, based on the definition provided in the GDPR, consent should be specific and explicit, inter alia, to be obtained prior to processing. Furthermore, the Commissioner also stresses the importance of consent being freely given and being open to withdrawal.
The Commissioner through published guidelines has provided that cookies can be classified as "session cookies" or "persistent cookies" depending on whether they are maintained when the user closes the browser. Typically, cookies that are exempted from consent are "session cookies" (deleted when the user closes the browser), with some exceptions for which the cookies are kept for a limited time depending on the expectations of the average user. For example, for "shopping cart" purposes, the user's options could remain stored for 1-2 hours if the user accidentally closes the browser and then visits the site again to purchase products in their basket.
Cookies can also be classified as "third party cookies" or not, depending on whether they are stored by the site administrator or by a third party. "Third party cookies" are usually not "strictly necessary" as they relate to a service that is separate from the service explicitly requested by the user.
Cookies that provide analytics for site traffic, although considered a very useful tool for webmasters, are not exempt from consent as they are not "strictly” or “absolutely” necessary since users may receive all the services provided from the site without them.
The Commissioner’s statement and guidelines concerning cookies are in line with Article 29 Working Party document 02/2013 providing guidance on obtaining consent for cookies, confirming the spirit of uniformity in the application of the principles promoted and enshrined in the GDPR.
(a) for any technical storage or access, the sole purpose of which is to transmit a communication through an electronic communications network, or
(b) when absolutely/strictly necessary to enable an information society service provider explicitly requested by the subscriber or user to provide the service in question.'
Article provided by: Constantinos Andronicou (tassos papadopoulos & associates, Cyprus)