Cookies and other trackers: the CNIL publishes new guidelines

On 4 July 2019, the French data protection authority (the “CNIL”) adopted new guidelines on cookies and other similar technologies (such as "local shared objects", fingerprinting systems, "local storage" implemented within HTML 5, etc.), reinforcing the procedures for obtaining consent. These guidelines will be supplemented, at the beginning of 2020, by a CNIL recommendation to inform operators on the practical procedures for obtaining the web user's consent.

What is the context?

Article 82 of the French data protection law transposes into French law the ePrivacy Directive (2002/58/EC). This provides in particular for the obligation, subject to certain exceptions, to obtain the consent of users before any operation to write or read cookies and other similar technologies. In 2013, the CNIL adopted a recommendation to provide guidance to operators on how to apply and implement this article. According to this recommendation, users’ consent could be validly obtained by setting up a banner when first browsing on the site, informing users that by continuing their browsing, they consent to the use of cookies. This banner must also include a link to a page allowing users to learn more on cookies and configure them.

However, the entry into force of the General Data Protection Regulations (GDPR) on 25 May 2018 has strengthened the requirements to obtain a valid consent. Also, following the example of the ICO (the UK data protection authority) and without waiting for the future "privacy and electronic communications" Regulation, currently under discussion at European level and whose adoption has been postponed, the CNIL has decided to repeal its previous recommendations of 2013 in order to establish new rules compatible with the new provisions of the GPDR.

What are the main changes?

There are two new features:

• continued browsing is no longer considered a valid expression of consent for the use of cookies. Users must express their consent in a free, specific, informed and unambiguous manner by a clear declaration or a positive act (for example, a checkbox, a button to activate, etc.).
• operators that set such cookies and trackers must be able to prove that they have obtained consent.

Whether or not the information (stored and/or accessed) is personal data within the meaning of the GDPR is not a prerequisite for the application of these guidelines.

What is the practical impact?

Websites will have to modify their consent systems, namely the "cookie banner" in order to allow users to accept the use of cookies beforehand, depending on their purposes. The "cookie policy" of these sites should also be enriched to include at least:

• the identity of the controller(s);
• the purpose of the data reading or writing operations; and
• the existence of the right to withdraw consent.

In its recommendation, the CNIL specifies in particular that an exhaustive and regularly updated list of entities using trackers must be displayed directly to the user when collecting his/her consent.

What is the implementation schedule?

The guidelines adopted on 4 July will be followed by a new CNIL’s recommendation that will specify the practical procedures for obtaining consent. The draft recommendation will be prepared following a consultation with the professionals, which will take place by the end of the year. It will then be the subject of a public consultation. The final recommendation will be published in the first quarter of 2020.

Companies therefore have about one more year to achieve compliance with the new rules. The CNIL has once again stated on its website that an adaptation period, ending six months after the publication of the future recommendation, will be left to the stakeholders in order to give them time to comply with the new rules.

Can the browser settings be sufficient to obtain valid consent?

No, the July 4 guidelines clearly state that these browser settings cannot, at the current state of the art, allow the user to express valid consent.

Does the exceptions to the collection of consent still apply?

Yes, the classic exceptions are still valid for the following cookies:

• those whose exclusive purpose is to enable or facilitate communication by electronic means; and
• those strictly necessary for the provision of an online communication service at the express request of the user.

Internet users must be informed in advance of their existence and purpose by including, for example, a reference in the privacy policy or the "cookies" policy of the website..

Finally, audience measuring cookies may in certain cases be exempted, provided that strict conditions are met (including that there is no overlap with other processing operations, statistics are produced on an anonymised basis and subject to a limited lifespan).