Cookies and other trackers: the CNIL publishes new recommendations and launches a public consultation

Written on 28 Jan 2020

On 4 July 2019, the French data protection authority (the “CNIL”) adopted new guidelines on cookies and other trackers. Also as part of its action plan on advertising targeting, and as announced in its press release of 28 June 2019, the CNIL conducted a public consultation in the fall 2019 to develop a draft recommendation offering operational modalities and practical examples for a valid expression of consent to the use of cookies.

Why a draft recommendation in addition to guidelines?

This draft recommendation is intended to be a practical tool for private and public bodies of online advertising. This project aims to support these actors by illustrating the recommendations with concrete examples in order to help them comply with the legal requirements, namely in France, Article 82 of the law so-called "Loi Informatique et Libertés" (Act No. 78-17 of 6 January 1978 as amended), which transposes into French law Article 5(3) of the current ePrivacy Directive (dir. 2002/58/EC, 12 Jul. 2002) and which requires, with some exceptions, the consent of users before the operations reading and/or writing of information on the terminal equipment via cookies or other trackers (HTTP cookies, Flash cookies, local storage, hardware identifiers, etc.).

Brief reminder on the new rules on cookies from the July 2019 guidelines:

In July 2019, the CNIL guidelines introduced two major changes to the applicable legal framework:

  • Continued browsing is no longer considered a valid expression of consent for the use of cookies. Internet users consent must be free, specific, informed and unambiguous via a clear positive statement or act (e.g. a box to be checked, a button to be activated, etc.).
  • Operators using trackers must prove that they have obtained users consent.

Whether or not the information (stored and/or accessed) is personal data under the terms of the GDPR is not a condition precedent for the application of these guidelines.

In practice, this means that websites will have to modify their consent collection systems, i.e. the "cookie banner", in order to allow users to accept the use of cookies in advance, depending on their purpose, and to modify the "cookie policy" to include new information (identity of the controller(s), the purpose of the cookies, etc.).

What are the main contributions of this draft recommendation?

1. Details on cookies requiring prior consent and on those exempted

Not all cookies require prior consent of the Internet user. Thus, consent is not required for operations whose exclusive purpose is to enable or facilitate communication by electronic means, or which are strictly necessary for the provision of an online communication service at the express request of the user. The CNIL specifies that the following trackers can thus be exempted (on condition that they are not used for other purposes):

  • trackers keeping the choice expressed by the user on the use of trackers or the will of the user not to express a choice;
  • trackers intended for authentication to a service;
  • trackers designed to keep track of the content of a shopping cart on a merchant website;
  • user interface customization trackers (e.g. for the choice of language or presentation of a service), where such customization is an intrinsic and expected element expected of the service user;
  • trackers allowing load balancing of equipment contributing to a communication service;
  • trackers allowing paying websites to limit free access to their content to a predefined quantity and/or over a limited period of time;
  • trackers enabling audience measurement, within the framework specified by Article 5 of the Guidelines on cookies and other trackers.

2. Concrete examples and methods of collecting consent and posting information

To help the actors to comply with the informed consent requirement of Article 82 of the "Loi Informatique et Libertés" (Act No. 78-17 of 6 January 1978 as amended), the recommendation provides several examples of language that could be used on websites to obtain consent, based on several possible purposes. These examples show a desire to simplify reading for the Internet user with :

  • Detailed goals from the first reading level. For example:
    "Customized advertising: name of site / application] [and third party companies / our partners] uses / use trackers to display customized advertising to your browsing and profile".
  • Controllers grouped into categories.

The CNIL recommends that information be delivered in layers: in addition to the list of purposes presented on a first screen, websites should, for example, provide easy access (drop-down menu, hypertext link, etc.) to a more detailed description of these purposes in a manner that is easily accessible from the consent collection interface.

This consent must be "free". For example, the CNIL offers to use "accept / refuse" buttons or "sliders" to be activated. The Internet user must be free not to choose, i.e. to close the interface for requesting consent (which will be equivalent to no consent). "Cookies walls" blocking access to the website in the absence of choice of the user are therefore to be prohibited.

3. Some examples of good practices and other recommendations

  • The Internet user must be able to take note of all the data controllers and the extent of the navigation monitoring. If the list of data controllers was to change substantially, the consent of the Internet user would have to be sought again.
  • It is possible to set up interfaces allowing refusal or acceptance in a global way without affecting the specific nature of the consent as long as the possibility of granular detail by purpose is maintained.
  • Consent must be renewed periodically and the CNIL recommends that this period of validity of consent be reduced to six months.
  • Those data controllers must be able to demonstrate that (i) the Internet user has given his consent and (ii) they have validly obtained the consent of the users concerned. It is important to carefully choose an adequate consent management solution provider (CMP - Consent Management Platform) so that it offers all the expected guarantees (timestamping, etc.).

What sanctions and what timetable?

The CNIL specifies on its website that this recommendation is not mandatory, it is not binding, but simply aims to provide legal security to data controllers by informing them of practices that comply with legal requirements. Actors can implement other good practices as long as they comply with the legal requirements.

The public consultation opened on 14 January 2020 and will end on 25 February 2020. The members of the CNIL will then meet to adopt the final version of the draft recommendation.

This final version is expected to be released in the first quarter of 2020.

As announced in July 2019, the CNIL's law enforcement action plan will consist of two phases:

  • from the beginning of 2020, the CNIL's actions (and potential sanctions) will be limited to compliance with the principles previously set out in the 2013 recommendation (and which continue in the new recommendation).
  • 6 months after the final publication of the recommendation, further checks will be carried out, focusing in particular on those actors who have a major impact on the daily life of citizens and whose practices raise serious questions of compliance.