Shopping Cart Cookies

Are shopping cart cookies subject to consent?

Technical Foundations

Shopping cart cookies are used when the user places products in the webshop’s shopping cart. This serves to identify the user across sessions by the server or the webshop.

Without the possibility of identification, the webshop could no longer assign the shopping cart to the user if the user closes their browser after filling the shopping cart but before completing the purchase, or if the session ends for other reasons (e.g., timeout due to prolonged user inactivity).

Therefore, the server or the webshop stores a cookie on the user’s device that identifies the user. In this way, when a user visits the webshop, the webshop can determine by reading the cookie whether the user already has an unredeemed shopping cart and retrieve the contents of the shopping cart from the database.

By storing a shopping cart cookie on the user’s device and later reading the shopping cart cookie by the server / the webshop, the webshop can identify the user beyond the end of a session and assign the user their shopping cart content.

Technical Necessity / Consent

It is reasonable to assume that the user expects a functioning shopping cart solution, and that the contents of the shopping cart are not lost simply by closing the browser or due to prolonged inactivity. Who wants to have to search for all the products again just because a phone call was made or a price comparison was carried out at other shops in between?

Accordingly, shopping cart cookies pursuant to Art. 5 (3) of Directive 2002/58/EC (or in Austria § 96 (3) TKG) would be classified as cookies that are strictly necessary for the provision of a service expressly requested by the user.

This would mean that no consent is required for the storage and reading of shopping cart cookies.

Processing Operation “Shopping Cart”

However, setting the shopping cart cookie is not an independent processing operation, but only part of the pre-contractual processing operation “Shopping cart”. The shopping cart is a pre-contractual processing operation that is triggered when a user places products in the shopping cart. The processing operation “Shopping cart” is therefore necessary pursuant to Art. 6 para. 1 lit. b GDPR for the implementation of pre-contractual measures that take place at the request of the data subject.

This would mean that no consent is required for the entire pre-contractual processing operation “Shopping cart”.

Legally Compliant Implementation

So far, so good. As so often, however, the correct implementation is also important for the shopping cart.

Session Cookies

Session cookies, i.e. cookies that are deleted at the end of the session when the browser window is closed, would be completely unproblematic. The shopping cart content would then possibly still be present in the database, but could no longer be assigned to a user due to the lack of a corresponding shopping cart cookie.

However, session cookies are not optimal for shopping cart solutions. Customers often place products in the shopping cart, but do not buy immediately for various reasons. However, if the customer closes the browser window to make further price comparisons before the purchase or to think about something, then the shopping cart content would be gone when the page is called up again with a session cookie.

This is neither optimal for the shop operator, because it would significantly reduce the purchase completion rate, nor is it sensible for the customers, because they would have to search for their products again.

Persistent Cookies

Therefore, permanent cookies are used for the shopping cart, i.e. cookies that outlast the end of the session. Strictly speaking, the term permanent is inaccurate, because permanent shopping cart cookies also expire. Exactly when the cookie expires is determined via the Expiry or the Max-Age attribute of the cookie.

Legally Compliant Expiration Date

Theoretically, one could design a shopping cart cookie in such a way that it does not expire for 10 years. However, this would not be technically necessary to achieve the purpose of a sensible shopping cart solution, because that is far too long. No customer comes back after 10 years and says: “so today I’ll buy that”. Therefore, such a long expiration date would only be permissible with the customer’s consent due to the lack of technical necessity. However, since such a long expiration date is pointless anyway, obtaining consent is of course not an option.

Correctly, the expiration date of the shopping cart cookie must be adapted to the actual customer needs. This is easy if you can draw on experience or read the necessary information from the web statistics. The perfect expiration date is set so that the majority of customers who return and buy later still find a full shopping cart.

7 to 14 days are probably unproblematic. Anything longer than that should be well justified with the help of statistics. Exotic outliers a la “we once had one who came back weeks later and bought” are not to be considered when determining the expiration date.

No Consent Required

If the expiration date is configured sensibly, it is considered technically necessary to provide the function of a shopping cart requested by the customer. Therefore, in this case, no consent from the customer is required for the storage and reading of the cookie.

Information Obligation

Irrespective of this, there is always an obligation to provide information. The shopping cart function must therefore still be included in the privacy policy.