In another threadanother thread , a heated discussion over cookies ensewed. At the very end of that thread, Jelo states that LimeSurvey cookies sometimes last a year. Others stated that only PHP and YII session cookies are kept. My own findings are that PHP sessions are stored with an expiry of now+2 hours. In fact, all of these cookies run afoul of the actual EU Privacy directives, as stated in directive 2009/136/EC , Amendment to 2002/58/EC, Article 5 paragraph 3:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

(emphasis mine)

Basically, a "cookie" is a piece of "stored information" that is on the "terminal equipment" (ie, browser) of the "user" (survey taker). Now, some have interpreted "this shall not prevent" clause as an exclusion to the disclosure requirement, but that would be a contorted reading of the text. A strict reading would indicate that lack of consent cannot prevent such strictly necessary cookies, but the user must still consent to and be informed about their use. Further, the user must explicitly request to use the service, which is not implied by simply landing on the survey page.

Thus, a legal stickler is compelled to provide the user with at least an informational pop-up about the LimeSurvey instance's use of cookies.

It is irrelevant that you (nor I) dislike the law.

It is irrelevant that the survey site exists outside of the EU.

It is irrelevant that the cookies are session-only.

The only relevant issue is whether the local site administrators choose to make their users aware of the use of cookies. The local site might already have employed a cookie-consent form, or may deem it is not necessary for them.

uibklime1 wrote: It is irrelevant that the cookies are session-only.

web.archive.org/web/20200831074357/https...WEBGUIDE/04.+Cookies

Examples of cookies that generally do NOT require consent:

user input cookies, for the duration of a session
authentication cookies, for the duration of a session
user-centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
multimedia content player session cookies, such as flash player cookies, for the duration of a session
load balancing session cookies and other technical cookies, for the duration of session
user interface customisation cookies, for a browser session or a few hours, when additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature)

in 2020-08-31

Maybe it evolve since this date , but clearly unclear.
Are you a lawyer yourself ?

I really like to have a real lawyer clear advice here ....