commits7 min read



  • GDPR対策で、利用の同意をとったCookieは、最長で13ヶ月保存してよさそう、という気がする
    • 明示的に「13ヶ月でオッケーです」という規定をする記述は見つけることはできなかった
    • 状況証拠を集めると、なんとなく保存期間はMAX13ヶ月というコンセンサスはありそうな気がする
    • 国によっては、13ヶ月後に再度Cookie利用の同意を取る必要があると定めているところがある
  • 近い将来、最長でも12ヶ月おきにCookieの利用の同意を取り直す必要があるようになる

General Data Protection Regulation (GDPR) Compliance Guidelines

Cookies, the GDPR, and the ePrivacy Directive



The General Data Protection Regulation (GDPR) is the most comprehensive data protection legislation that has been passed by any governing body to this point. However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30.

GDPRでCookieについて直接的に触れているのはRetical 30のみ。

According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could remain on your device much longer if you do not take action.

ePrivacy Directiveによれば、Cookieは12ヶ月を超えて残ってはいけない。
→ この12ヶ月ルールはどこに明文化されているのか?


Recital 30 - Online identifiers for profiling and identification


Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.



ePrivacy Directive (eプライバシー指令)

正式名は "Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)"

ePrivacy Directiveそのものは法律ではなく、EU加盟国に対して「こういう法律を作りなさい」という指令をする文章。


Article 15 - Application of certain provisions of Directive 95/46/EC

ePrivacy Directiveで、該当するっぽい箇所はここしか見つけられなかった。

  1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive (略). To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. (後略)

Article 5が、Cookieの同意に関する条項で、このArticle 15で、EU加盟国はこれらに関して保存期間を限定する法律を作ることができる(と書いてあるようだ)。

あれ?? ePrivacy Directiveに保存期間の具体値なんて書いてなくない??



Guidelines on the protection of personal data processed through web services provided by EU institutions

European Data Protection Supervisor(欧州データ保護監督官)の示す、EUの公共機関がWebサービスを提供するにあたってのガイドライン


A strictly limited retention time for unique identifiers, such as IP addresses, shall be set, based on necessity and proportionality. Since in general one year is the longest coverage for statistics on unique user behaviour, the identifiers originally collected shall be deleted after about 13 months.


CNIL's guidelines on cookies and tracking devices


https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000038783337 (フランス語です)


Article 5 - Sur le cas spécifique des traceurs de mesure d'audience.


les traceurs utilisés par ces traitements ne doivent pas avoir une durée de vie excédant treize mois et cette durée ne doit pas être prorogée automatiquement lors des nouvelles visites.

"treize mois"が「13ヶ月」の箇所。

UK Information Commissioner's Office

Information Commissioner's Office (ICO)は、英国のGDPR(UK GDPR)の規制監督当局。


This will depend on the purpose of the cookie. (略)
This also depends on the purpose you use the cookie for – so it is difficult to provide comprehensive guidance for each possible type of cookie.


There are some clear cases where the duration of a cookie is wholly disproportionate. For example, whilst it may be technically possible to set the duration of a cookie to “31/12/9999” this would not be regarded as proportionate in any circumstances.


ePrivacy Reguration (eプライバシー規則)

ePrivacy Regurationと、ePrivacy Directiveとの違いは、DirectiveはEU加盟国に「こういう法律を作りなさい」という指令なのに対し、RegurationはEU加盟国に直接適用される法律という点。


"Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)"


Article 4a - Consent

  1. End-users who have consented to the processing of electronic communications data in accordance with this Regulation shall be reminded of the possibility to withdraw their consent at periodic intervals of [no longer than 12 months], as long as the processing continues, unless the end-user requests not to receive such reminders.




Guidelines on the protection of personal data in IT governance and IT management of EU institutions
For how long can data be kept and is it necessary to update it?
How to run a website in Germany