Cookies and other trackers: the CNIL publishes new guidelines
Published on 19th Jul 2019
On 4 July 2019, the French data protection authority (the “CNIL”) adopted new guidelines on cookies and other similar technologies (such as "local shared objects", fingerprinting systems, "local storage" implemented within HTML 5, etc.), reinforcing the procedures for obtaining consent. These guidelines will be supplemented, at the beginning of 2020, by a CNIL recommendation to inform operators on the practical procedures for obtaining the web user's consent.
What is the context?
However, the entry into force of the General Data Protection Regulations (GDPR) on 25 May 2018 has strengthened the requirements to obtain a valid consent. Also, following the example of the ICO (the UK data protection authority) and without waiting for the future "privacy and electronic communications" Regulation, currently under discussion at European level and whose adoption has been postponed, the CNIL has decided to repeal its previous recommendations of 2013 in order to establish new rules compatible with the new provisions of the GPDR.
What are the main changes?
There are two new features:
- operators that set such cookies and trackers must be able to prove that they have obtained consent.
Whether or not the information (stored and/or accessed) is personal data within the meaning of the GDPR is not a prerequisite for the application of these guidelines.
What is the practical impact?
- the identity of the controller(s);
- the purpose of the data reading or writing operations; and
- the existence of the right to withdraw consent.
In its recommendation, the CNIL specifies in particular that an exhaustive and regularly updated list of entities using trackers must be displayed directly to the user when collecting his/her consent.
What is the implementation schedule?
The guidelines adopted on 4 July will be followed by a new CNIL’s recommendation that will specify the practical procedures for obtaining consent. The draft recommendation will be prepared following a consultation with the professionals, which will take place by the end of the year. It will then be the subject of a public consultation. The final recommendation will be published in the first quarter of 2020.
Companies therefore have about one more year to achieve compliance with the new rules. The CNIL has once again stated on its website that an adaptation period, ending six months after the publication of the future recommendation, will be left to the stakeholders in order to give them time to comply with the new rules.
Can the browser settings be sufficient to obtain valid consent?
No, the July 4 guidelines clearly state that these browser settings cannot, at the current state of the art, allow the user to express valid consent.
Does the exceptions to the collection of consent still apply?
Yes, the classic exceptions are still valid for the following cookies:
- those whose exclusive purpose is to enable or facilitate communication by electronic means; and
- those strictly necessary for the provision of an online communication service at the express request of the user.
Finally, audience measuring cookies may in certain cases be exempted, provided that strict conditions are met (including that there is no overlap with other processing operations, statistics are produced on an anonymised basis and subject to a limited lifespan).