Introduction
The French Data Protection Authority (CNIL) recently revised and updated its guidelines on cookies and other online tracking technologies and issued further recommendations for stakeholders. The revised guidelines outline and clarify some important aspects of the applicable French law, while the additional recommendations provide practical advice on ways to collect users' consent for the use of such technologies. The CNIL has also published a Q&A on the guidelines and recommendations.
Legal Framework
The obligation and the conditions to obtain consent from internet users to place cookies and other similar technologies on their devices is based on two main legal texts: the French Data Protection Act (Article 82), which implements the EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), and the EU General Data Protection Regulation (GDPR), which is directly applicable to all of the EU Member States.
Background
The GDPR, which became enforceable in 2018, heightened the requirements for obtaining valid consent for the use of cookies and other tracking technologies. That change prompted the CNIL to update its existing guidance of 2013, which was not compatible with the new rules introduced by the GDPR. The revised CNIL guidelines, which were published on 4 July 2019, repealed the CNIL's 2013 recommendation.
The purpose of these new guidelines was to reflect and clarify the requirements of the GDPR regarding the collection of consent for cookies and provide related guidance. One key change, as compared to the 2013 recommendation, was the adoption by the CNIL of a clear position that mere browsing of a website by an internet user could no longer be considered an expression of valid consent by the user to placing cookies on the user's browser.
Following their publication, the 2019 CNIL's guidelines were challenged by several professional associations of online advertising and commerce professionals before the French Administrative Supreme Court (Council of State). In a decision issued in June 2020, the Council of State largely validated the 2019 CNIL's guidance with one notable exception. According to the Council of State, CNIL's position that user's access to a website could not be conditioned on the user's acceptance of cookies (cookie walls) was inconsistent with the GDPR and that CNIL exceeded its own authority to issue guidelines in asserting that position.
Following the decision of the Council of State, the CNIL amended its 2019 guidelines and adopted the 2020 guidelines discussed in this advisory.
Scope and Types of Technologies Concerned
The 2020 CNIL guidelines apply in particular to HTTP cookies but also to other technologies, such as local shared objects (also known as "flash cookies"), local storage integrated within HTML 5, device fingerprinting and identifiers generated by operating systems (for advertising purposes or not: IDFA, IDFV, Android ID, etc.), device identifiers (MAC address, serial number or any other identifier of a device), etc.
The 2020 guidelines are specifically targeted to address the use of such tracking technologies on devices that are frequently used, such as tablets, smartphones, desktop computers, laptops, game consoles, connected TVs, connected vehicles, voice assistants, etc.
Key Elements of the 2020 Guidelines
The 2020 CNIL guidance focuses on the following points:
- The simple navigation on a website cannot be considered as an expression of valid consent. Similarly, continued browsing, scrolling, being shown pre-ticked boxes or acceptance of general website terms of use cannot be regarded as valid consent to tracking.
- Obtaining valid consent requires doing all of the following:
-
- providing online users with a list of the data controllers involved in the use of cookies;
- listing for users the purposes of the cookies/trackers and obtaining consent for each one of them; and
- keeping proof of and being able to demonstrate collection of valid consent.
- Users must be able to refuse consent as easily as to give consent or withdraw their consent as easily as they gave it.
- Consent is not required for all trackers, as described below.
Cookie walls
Under CNIL's newly revised guidelines, the lawfulness of cookie walls has to be assessed on a case-by-case basis and users must be fully informed if consent to the use of cookies is a condition of accessing particular online content or a particular online service. The CNIL guidelines highlight that the use of cookie walls is likely to jeopardise, in some cases, the freedom of consent.
Information to be provided to the users prior to consent
Prior to granting their consent, users must be informed of:
- the identity of the data controller(s);
- the purpose(s) of the cookies as well as the right to withdraw consent; and
- how to accept or refuse cookies and the consequences of such an acceptance or refusal.
Silence on the use of cookies considered as a refusal
The revised CNIL guidelines emphasize that valid consent must be expressed by a positive action of the user. Silence of the user constitutes a refusal to grant cookies consent.
Trackers whose use is exempted from the requirement to obtain consent
The 2020 CNIL guidelines provide examples of trackers whose use is normally regarded as exempt from the consent requirement:
- trackers that store the choice expressed by users on their cookie usage;
- trackers intended for authentication to a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotised or unexpected access;
- trackers intended to store the content of a shopping basket on a merchant site or to bill the user with the products or services;
- customisation trackers on the user's interface (for example, the choice of language or presentation of a service), when customisation is considered as an internal and expected element of the service;
- trackers allowing load-balancing of equipment contributing to a communication service;
- trackers allowing paid-sites to limit free access to a part of the content requested by users; and
- certain audience measurement trackers.
Examples of Acceptable Consents Provided in the Recommendation
The CNIL recommendation supplements the 2020 guidelines and provides practical advice on how to collect users' consent. The examples provided by the CNIL in the recommendation are neither prescriptive nor exhaustive, and other methods of collecting consent may be used provided that consent is obtained in accordance with the applicable French laws.
The recommendation focuses on the purposes of cookies and how these should be presented to the users before acceptance or refusal of consent. The CNIL proposes indicative titles for each purpose that should be followed by a brief description. The CNIL also provides visual examples of cookies banners and consent forms and suggests how the information concerning the identification of data controllers should be provided to users prior to soliciting their consent.
The CNIL emphasises that users must grant their consent separately for each site or application that is accessed by them.
The CNIL highlights that consent should be given independently and specifically for each purpose. The CNIL does not prohibit use of a global consent covering all purposes, provided that all of those purposes are presented and explained to the user. Regarding the modalities to refuse consent, the CNIL highlights that it should be as simple to refuse cookies as to accept them.
Conclusion and Next Steps
Companies have six months to ensure that their methods of compliance with the GDPR and the ePrivacy Directive are consistent with the CNIL 2020 guidelines and recommendations. The CNIL may start to conduct inspections after the six-month grace period. We will continue to monitor developments in this area and to assist clients in understanding and complying with these new guidelines.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.