Classifies cookies exempt from consent under ePrivacy Directive Article 5(3) strictly necessary exemption. Covers criteria for user input, session, functionality, load balancing cookies with EDPB guidance.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC) requires informed consent before storing or accessing information on a user's terminal equipment (cookies, LocalStorage, device fingerprints). However, it provides an exemption for storage that is "strictly necessary in order for the provider of an information society service explicitly requested by the sub...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC) requires informed consent before storing or accessing information on a user's terminal equipment (cookies, LocalStorage, device fingerprints). However, it provides an exemption for storage that is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to deliver the service." Correctly classifying cookies under this exemption is critical — over-claiming exemption exposes organizations to enforcement action, while under-claiming creates unnecessary consent friction. The Article 29 Working Party Opinion 04/2012 on Cookie Consent Exemption (WP 194) remains the authoritative guidance on applying this exemption.
A cookie qualifies for the strictly necessary exemption only if BOTH conditions are met:
Condition 1 — The cookie is strictly necessary The cookie must be essential for the specific functionality that the user has actively requested. "Strictly necessary" means the service literally cannot function without it — not merely that it would be degraded or less convenient.
Condition 2 — For a service explicitly requested by the user The user must have actively requested the service that the cookie enables. The cookie must serve the user's purpose, not the website operator's purpose. A cookie that is necessary for the operator's business model (e.g., analytics) but not for the service the user requested (e.g., viewing products) does not qualify.
WP 194 (Opinion 04/2012) identified specific cookie categories that can qualify for exemption:
Category A — User Input Cookies (Session-Only)
| Criterion | Requirement |
|---|---|
| Purpose | Keeping track of user input during a multi-step process (e.g., filling a form, shopping cart) |
| Duration | Session-only (deleted when browser closes) or short-lived (limited to a few hours) |
| Scope | First-party only |
| Example | Shopping cart contents during a browsing session |
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| cart_session | Stores items added to shopping cart during session | Session | Yes |
| checkout_step | Tracks current step in multi-page checkout | Session | Yes |
| form_data_temp | Preserves form input if page reloads during checkout | 30 minutes | Yes |
Category B — Authentication Cookies
| Criterion | Requirement |
|---|---|
| Purpose | Authenticating the user to provide access to authenticated content/services |
| Duration | Session-only for session authentication; persistent only if user explicitly chose "remember me" |
| Scope | First-party only |
| Example | Session token after login |
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| auth_token | Authenticates logged-in user | Session | Yes |
| refresh_token | Maintains authentication across browser restarts (when "remember me" selected) | 30 days | Yes — user explicitly requested persistent login |
| session_id | Links requests to server-side session | Session | Yes |
Category C — User Security Cookies
| Criterion | Requirement |
|---|---|
| Purpose | Ensuring security of the service explicitly requested by the user |
| Duration | Limited to what is necessary |
| Scope | First-party only |
| Example | CSRF protection, detecting repeated failed login attempts |
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| csrf_token | Prevents cross-site request forgery attacks | Session | Yes |
| login_attempts | Tracks failed login count for brute-force protection | 30 minutes | Yes |
| device_verified | Flags device as verified after 2FA | 30 days | Yes — security for authenticated service |
Category D — Multimedia Player Session Cookies
| Criterion | Requirement |
|---|---|
| Purpose | Storing technical data for media playback (quality settings, buffering) |
| Duration | Session-only |
| Scope | First-party only |
| Example | Video player quality preference for current session |
Category E — Load Balancing Cookies
| Criterion | Requirement |
|---|---|
| Purpose | Distributing web traffic across multiple servers |
| Duration | Session-only (persists only for the browsing session) |
| Scope | First-party only |
| Example | Load balancer session affinity cookie |
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| SERVERID | HAProxy server affinity cookie | Session | Yes |
| __cfduid (legacy) | Cloudflare server identification | Session | Yes — if session-only |
| lb_route | Internal load balancer routing | Session | Yes |
Category F — UI Customisation Cookies (Session-Only)
| Criterion | Requirement |
|---|---|
| Purpose | Storing user interface preferences explicitly set by the user during the session |
| Duration | Session-only (first visit within a session); persistent requires consent |
| Scope | First-party only |
| Example | Language selection within a session |
Critical Distinction: A language preference cookie set for the current session when the user clicks a language selector is exempt. A persistent language preference cookie that remembers the selection across visits typically requires consent (it exceeds the session scope).
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| locale_session | Language selected during current session | Session | Yes |
| locale | Persistent language preference | 1 year | No — requires consent |
| currency_session | Currency selected during current session | Session | Yes |
| currency | Persistent currency preference | 1 year | No — requires consent |
The following cookie types are explicitly NOT exempt and always require consent:
| Cookie Type | Why Not Exempt |
|---|---|
| Google Analytics (_ga, _gid) | Serves the operator's analytics purpose, not the user's requested service |
| Hotjar (_hj*) | Session recording and heatmaps serve the operator |
| A/B testing (optimizely_*) | Experimentation serves the operator's optimization goals |
| Performance monitoring | Site performance monitoring benefits the operator |
Note: The CNIL has created a separate limited exemption for audience measurement (see analytics-cookie-consent skill), but this is a French-specific interpretation, not a universal ePrivacy Article 5(3) exemption.
| Cookie Type | Why Not Exempt |
|---|---|
| Meta Pixel (_fbp, _fbc) | Advertising tracking serves the advertiser |
| Google Ads (_gcl_au, IDE) | Conversion tracking and remarketing serve the advertiser |
| Retargeting cookies | Cross-site tracking for ad personalization |
| Ad frequency capping | Serves the ad delivery system, not the user |
| Cookie Type | Why Not Exempt |
|---|---|
| Facebook Like button cookies | Third-party tracking via social widget |
| Twitter share widget cookies | Third-party data collection |
| YouTube embed cookies | Google tracking via embedded video |
| LinkedIn Insight Tag | Professional network tracking |
Exception: If a social login (e.g., "Login with Google") is explicitly requested by the user, the authentication cookies for that flow may qualify under Category B. The social platform's tracking cookies do not.
| Cookie Type | Why Not Exempt |
|---|---|
| Persistent language preference | Exceeds session scope |
| Theme/dark mode preference (persistent) | Exceeds session scope |
| "Don't show again" dismissal cookies | Convenience, not strictly necessary |
| Recently viewed products | Enhancement, not essential service |
The cookie that stores whether the user has accepted or rejected cookies:
| DPA Position | Exempt? | Reasoning |
|---|---|---|
| UK ICO | Yes | Strictly necessary to remember the user's privacy choice |
| CNIL | Yes | Technical necessity for implementing consent |
| Belgian DPA | Yes | Required to avoid re-prompting on every page |
| EDPB | Yes (implied) | Necessary to fulfill the consent obligation |
Pinnacle E-Commerce Ltd: The consent_state cookie is classified as strictly necessary.
| Scenario | Exempt? | Reasoning |
|---|---|---|
| CSRF token for form submission | Yes | Security for service the user requested (submitting a form) |
| Bot detection (CAPTCHA) | Likely yes | Security for the service; some DPAs require notice |
| Device fingerprinting for fraud | Likely no | Goes beyond what is strictly necessary; may use consent or legitimate interest |
| reCAPTCHA cookies | Contested | Google reCAPTCHA sets cookies and communicates with Google; some DPAs require consent |
| Scenario | Exempt? | Reasoning |
|---|---|---|
| Cloudflare __cf_bm (bot management) | Contested | Security-related but sets persistent cookie; review with DPO |
| CDN session routing | Yes | Load balancing (Category E) |
| Geographic routing | Yes if session-only | Infrastructure necessity |
| A/B testing server routing | No | Optimization, not user-requested service |
Use the cookie-audit skill to generate a complete cookie inventory.
For each cookie, answer:
| Cookie | User-Requested Service | Strictly Necessary | Duration OK | Exempt |
|---|---|---|---|---|
| session_id | Browsing the site | Yes — session state | Session | Yes |
| auth_token | Logging in | Yes — authentication | Session | Yes |
| cart_session | Adding items to cart | Yes — cart functionality | Session | Yes |
| csrf_token | Submitting forms | Yes — form security | Session | Yes |
| _ga | None (operator analytics) | No | 2 years | No |
| _fbp | None (operator advertising) | No | 90 days | No |
| locale | Changing language | Debatable | 1 year | No — persistent, needs consent |
| consent_state | Managing cookie preferences | Yes — consent management | 6 months | Yes |
For each exempt cookie, maintain a written justification:
Template:
Cookie: [name]
Classification: Strictly Necessary — Exempt from consent
User-Requested Service: [specific service]
Why Strictly Necessary: [explanation of why the service cannot function without this cookie]
Duration Justification: [why this duration is the minimum necessary]
WP 194 Category: [A/B/C/D/E/F]
Reviewed By: [DPO name]
Review Date: [date]
Next Review: [date + 12 months]