Cookie notice if I only use the php session cookie?

Question:

If I do not use any external script that can create cookies such as Google analytics, facebook or twitter buttons or anything similar and the only cookie that can be generated is the one used by PHP for session control.

  • Is it necessary to define a cookie policy?
  • If so: Is it necessary to accept the cookie policy by the user?

I understand that it is a more legal question than programming, but since I am sure that many programmers do not have legal advice to solve these types of questions, it would be nice if we help each other through these forums.

Answer:

In the case of using only session cookies, it is not necessary to define an acceptance policy for them. Currently you can find all the information on the website of the Spanish Data Protection Agency (AEPD) , and more specifically in the Guide on the use of cookies , provided by the agency itself.

In section 1 (Scope of the regulations) of section II of this guide, the following is quoted verbatim:

Finally, in order to determine the scope of the regulations and of this guide, it is necessary to point out that the cookies used for any of the following purposes are exempt from compliance with the obligations established in article 22.2 of the LSSI:

  • Only allow communication between the user's computer and the network.
  • Strictly provide a service expressly requested by the user.

In this sense, the Working Group of Article 29 in its Opinion 4/20123 has interpreted that among the excepted cookies would be those that are intended to:

  • "User input" cookies
  • User authentication or identification cookies (session only)
  • User security cookies
  • Media player session cookies
  • Session cookies to balance load
  • User interface customization cookies
  • Complement cookies (plug-in) to exchange social content

You can also find this same information on the website of the European Commission .

Update December 2018: Due to changes on the website of the Spanish Agency for Data Protection (AEPD), the document that I refer to in the answer is no longer accessible through that link. You can find the guide here .

Scroll to Top