To print this article, simply register or connect to Mondaq.com.
The CNIL recently revised and updated its guidelines on cookies and other online tracking technologies and issued new recommendations to stakeholders. The revised guidelines describe and clarify some important aspects of applicable French law, while the additional recommendations provide practical advice on how to obtain user consent for the use of these technologies. The CNIL has also published a Q&A on guidelines and recommendations.
The obligation and the conditions for obtaining the consent of Internet users to place cookies and other similar technologies on their terminals are based on two main legal texts: the French law on data protection (article 82), which implements the directive. European 2002/58 / EC on the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), and the EU General Data Protection Regulation (GDPR), which is directly applicable to all EU Member States.
The purpose of these new guidelines was to reflect and clarify the GDPR requirements regarding the collection of consent for cookies and to provide related guidance. A key change, compared to the 2013 recommendation, was the adoption by the CNIL of a clear position according to which the simple navigation on a website by an Internet user could no longer be considered as the expression of consent. valid of the user to place cookies on the user. Navigator.
Following their publication, the 2019 CNIL guidelines were challenged by several professional associations of advertising and e-commerce professionals before the Supreme Administrative Court (Council of State). In a decision rendered in June 2020, the Council of State largely validated the 2019 CNIL guidelines with one notable exception. According to the Council of State, the position of the CNIL according to which the user’s access to a website could not be conditioned on the acceptance of cookies (cookies wall) by the user was incompatible with the RGPD and that the CNIL had exceeded its own competence to issue guidelines by affirming this position.
Following the decision of the Council of State, the CNIL modified its 2019 guidelines and adopted the 2020 guidelines discussed in this opinion.
Scope and types of technologies involved
The CNIL 2020 directives apply in particular to HTTP cookies but also to other technologies, such as local shared objects (also called “flash cookies”), local storage integrated into HTML 5, device fingerprinting and identifiers generated by operating systems (for advertising purposes or not: IDFA, IDFV, Android identifier, etc.), device identifiers (MAC address, serial number or any other identifier of a device), etc.
The 2020 guidelines specifically aim to address the use of these tracking technologies on frequently used devices, such as tablets, smartphones, desktops, laptops, game consoles, smart TVs, vehicles connected, voice assistants, etc.
Key elements of the 2020 guidelines
The CNIL 2020 guide focuses on the following points:
- Mere browsing on a website cannot be considered as an expression of valid consent. Likewise, continuing to browse, scrolling, displaying pre-checked boxes or accepting the general conditions of use of the website cannot be considered as valid consent to follow-up.
- To obtain valid consent, you must do all of the following:
- list the purposes of cookies / trackers to users and obtain consent for each of them; and
- retain evidence and be able to demonstrate the collection of valid consent.
- Users should be able to withhold consent as easily as to give or withdraw consent as easily as they have given it.
- Consent is not required for all trackers, as described below.
Information to be provided to users before their consent
Before granting consent, users should be informed:
- the identity of the data controller (s);
- the purpose (s) of cookies as well as the right to withdraw consent; and
The revised directives of the CNIL emphasize that valid consent must be expressed through positive action by the user. The user’s silence constitutes a refusal to grant consent to cookies.
Trackers whose use is exempt from the requirement to obtain consent
The CNIL 2020 repository provides examples of trackers whose use is normally considered to be exempt from the obligation of consent:
- trackers intended for authentication to a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unannounced access;
- trackers intended to store the contents of a basket on a merchant site or to invoice the user for products or services;
- personalization trackers on the user interface (for example, the choice of language or presentation of a service), when personalization is considered an internal and expected element of the service;
- trackers allowing load balancing of equipment contributing to a communication service;
- trackers allowing paid sites to limit free access to part of the content requested by users; and
- some audience measurement trackers.
Examples of acceptable consents provided in the recommendation
The CNIL recommendation complements the 2020 repository and provides practical advice on how to obtain user consent. The examples provided by the CNIL in the recommendation are neither prescriptive nor exhaustive, and other methods of obtaining consent may be used provided that consent is obtained in accordance with applicable French law.
The recommendation focuses on the purposes of cookies and how cookies should be presented to users before accepting or refusing consent. The CNIL offers indicative titles for each object which must be followed by a brief description. The CNIL also provides visual examples of cookie banners and consent forms and suggests how information relating to the identification of data controllers should be provided to users before requesting their consent.
The CNIL emphasizes that users must give their consent separately for each site or application they access.
Conclusion and next steps
Companies have six months to ensure that their methods of compliance with the GDPR and the ePrivacy directive are consistent with the CNIL 2020 guidelines and recommendations. The CNIL can start carrying out checks after the six-month grace period . We will continue to monitor developments in this area and help customers understand and comply with these new guidelines.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought on your particular situation.