The French Data Protection Authority (CNIL) recently revised and updated its guidelines on cookies and other online tracking technologies and issued further recommendations for stakeholders. The revised guidelines outline and clarify some important aspects of the applicable French law, while the additional recommendations provide practical advice on ways to collect users' consent for the use of such technologies. The CNIL has also published a Q&A on the guidelines and recommendations.
The obligation and the conditions to obtain consent from internet users to place cookies and other similar technologies on their devices is based on two main legal texts: the French Data Protection Act (Article 82), which implements the EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), and the EU General Data Protection Regulation (GDPR), which is directly applicable to all of the EU Member States.
The purpose of these new guidelines was to reflect and clarify the requirements of the GDPR regarding the collection of consent for cookies and provide related guidance. One key change, as compared to the 2013 recommendation, was the adoption by the CNIL of a clear position that mere browsing of a website by an internet user could no longer be considered an expression of valid consent by the user to placing cookies on the user's browser.
Following their publication, the 2019 CNIL's guidelines were challenged by several professional associations of online advertising and commerce professionals before the French Administrative Supreme Court (Council of State). In a decision issued in June 2020, the Council of State largely validated the 2019 CNIL's guidance with one notable exception. According to the Council of State, CNIL's position that user's access to a website could not be conditioned on the user's acceptance of cookies (cookie walls) was inconsistent with the GDPR and that CNIL exceeded its own authority to issue guidelines in asserting that position.
Following the decision of the Council of State, the CNIL amended its 2019 guidelines and adopted the 2020 guidelines discussed in this advisory.
Scope and Types of Technologies Concerned
The 2020 CNIL guidelines apply in particular to HTTP cookies but also to other technologies, such as local shared objects (also known as "flash cookies"), local storage integrated within HTML 5, device fingerprinting and identifiers generated by operating systems (for advertising purposes or not: IDFA, IDFV, Android ID, etc.), device identifiers (MAC address, serial number or any other identifier of a device), etc.
The 2020 guidelines are specifically targeted to address the use of such tracking technologies on devices that are frequently used, such as tablets, smartphones, desktop computers, laptops, game consoles, connected TVs, connected vehicles, voice assistants, etc.
Key Elements of the 2020 Guidelines
The 2020 CNIL guidance focuses on the following points:
- Obtaining valid consent requires doing all of the following:
- listing for users the purposes of the cookies/trackers and obtaining consent for each one of them; and
- keeping proof of and being able to demonstrate collection of valid consent.
- Users must be able to refuse consent as easily as to give consent or withdraw their consent as easily as they gave it.
- Consent is not required for all trackers, as described below.
Information to be provided to the users prior to consent
Prior to granting their consent, users must be informed of:
- the identity of the data controller(s);
- the purpose(s) of the cookies as well as the right to withdraw consent; and
The revised CNIL guidelines emphasize that valid consent must be expressed by a positive action of the user. Silence of the user constitutes a refusal to grant cookies consent.
Trackers whose use is exempted from the requirement to obtain consent
The 2020 CNIL guidelines provide examples of trackers whose use is normally regarded as exempt from the consent requirement:
- trackers that store the choice expressed by users on their cookie usage;
- trackers intended for authentication to a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotised or unexpected access;
- trackers intended to store the content of a shopping basket on a merchant site or to bill the user with the products or services;
- customisation trackers on the user's interface (for example, the choice of language or presentation of a service), when customisation is considered as an internal and expected element of the service;
- trackers allowing load-balancing of equipment contributing to a communication service;
- trackers allowing paid-sites to limit free access to a part of the content requested by users; and
- certain audience measurement trackers.
Examples of Acceptable Consents Provided in the Recommendation
The CNIL recommendation supplements the 2020 guidelines and provides practical advice on how to collect users' consent. The examples provided by the CNIL in the recommendation are neither prescriptive nor exhaustive, and other methods of collecting consent may be used provided that consent is obtained in accordance with the applicable French laws.
The recommendation focuses on the purposes of cookies and how these should be presented to the users before acceptance or refusal of consent. The CNIL proposes indicative titles for each purpose that should be followed by a brief description. The CNIL also provides visual examples of cookies banners and consent forms and suggests how the information concerning the identification of data controllers should be provided to users prior to soliciting their consent.
The CNIL emphasises that users must grant their consent separately for each site or application that is accessed by them.
Conclusion and Next Steps
Companies have six months to ensure that their methods of compliance with the GDPR and the ePrivacy Directive are consistent with the CNIL 2020 guidelines and recommendations. The CNIL may start to conduct inspections after the six-month grace period. We will continue to monitor developments in this area and to assist clients in understanding and complying with these new guidelines.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.