Advice from the Article 29 Working Party builds on what was contained in Article 5( 3 ) of the EU’s e-Privacy Directive, which is currently being transposed into national laws.

The article states that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent”.

The Working Party writes: “While Article 5( 3 ) does not use the word prior, this is a clear and obvious conclusion from the wording of the provision. It makes good sense for consent to be obtained prior to the starting of the data processing. Otherwise, the processing carried out during the period of time from the moment the processing had started until the moment that consent had been obtained would be unlawful because of lack of legal ground.”

This is likely to cause consternation among businesses looking to adapt to the new rules which were adopted in May, but – in the UK at least – will not be enforced until next year.

Even the website of the UK Information Commissioner’s Office (ICO), which now seeks explicit consent to use cookies, informs first-time visitors that “one of the cookies we use is essential for parts of the site to operate and has already been set” – which goes against the principal of prior consent as outlined by the Article 29 Working Party.

The only exemption from the cookie consent rules is where cookies are “strictly necessary” for the provision of a service “explicitly requested” by the user. This exemption does not cover web analytics and the collection of statistical information about the use of a website, according to guidance previously issued by the ICO.