French data protection authority adopts final guidelines on cookies
Published on 5th Oct 2020
On 17 September 2020, the French data protection authority (the “CNIL”) adopted its final guidelines on cookies and other trackers. These guidelines were tailored to take into account the inputs of the public consultation launched on January 2020 and the Conseil d’Etat’s recent case law of June 19, 2020 regarding the CNIL’s previous version of the guidelines. These updated guidelines, were accompanied by adjusted practical recommendations. Although the recommendations do not include mandatory rules per se, they play the role of a practical guide intended to help the digital actors using trackers on the concrete methods of collecting consent of the Internet users.
In 2013, the CNIL adopted a first recommendation to guide the digital actors in the implementation into French Law of Article 5(3) of the current ePrivacy Directive (dir. 2002/58/EC, 12 Jul. 2002) related to the reading and/or writing of information on the terminal equipment via cookies or other trackers.
The evolution of the applicable rules, clarified by these guidelines and recommendation, marks a turning point for both the online advertising industry and Internet users, who will now be able to exercise greater control over online trackers.
Reminder on the reaffirmed rules
In September 2020, the CNIL’s guidelines reaffirmed a few major changes to the applicable legal framework:
- Information has to be transparent, clear and synthetic;
- Consent should be easy to give and to withdraw; and
- Operators using trackers must be able to prove at any time that they have obtained internet users' consent. They must also inform individuals of the identity of all actors using tracers subject to consent.
What are the main contributions of the new guidelines and recommendations?
The CNIL recommends that the consent collection system not only includes an "accept all" button but also a "refuse all" button for ease of refusal and based on a consent given purpose by purpose.
The CNIL also clearly distinguishes between various retention periods:
- the data retention period of information collected via technical cookies (25 months) ;
- the duration of the validity of the cookies exempted of consent (13 months); and
- the duration of validity of the consent for cookies requiring consent. It is interesting to note that the CNIL considers for cookies requiring a prior consent that “the duration of the consent will be assessed on a case-by-case basis with regard to the nature of the site or application and the specificities of its audience” and a duration of six (6) months constitutes best practice.
Additionally, the CNIL softened its position on "cookies walls", which consist of blocking access to the website in the absence of choice of the user on the cookies. They were simply prohibited in the previous version of the recommendation and the CNIL now states that they may undermine the freedom of consent, in certain situation. If a "cookie wall" is set up, its validity must be assessed on a case-by-case basis and the information provided to the user should clearly indicate the consequences of their choices and in particular the inability to access content or service without consent.
This has to be considered in light of the EDPB guidelines on consent (Guidelines 05/2020 on consent under Regulation 2016/679) which prohibits this practice. The CNIL had to soften its position following a Conseil d’Etat decision that ruled that the CNIL acted outside its powers in seeking to impose such a general and unconditional prohibition (but the Conseil d’Etat did not rule on the merits of such a prohibition). Overall, we anticipate little to no practical impact of this change as the analysis will be on case-by-case basis.
Furthermore, so to make sure that the user is fully aware of the scope of their consent, the CNIL recommends that, when a tracker allow tracking on sites other than the site visited by the user, consent should be collected on each of the sites concerned by this tracking and the partners and the third party companies should be well identified.
What are the sanctions and timetable?
Companies now have until the end of March 2021 to achieve compliance. This means that websites that do not have an effective consent management platform (CMP) must now implement one within the next six months. They could also find some help and guidance with the IAB’s TCF (transparency and consent Framework), which provides tools to achieve compliance and a list of certified CMP under the TCF.
While the CNIL will take into account the operational difficulties of operators throughout this period during which it will give priority to support over controls, the CNIL mentions that it retains the possibility, in accordance with the decision of the Conseil d'Etat, to sanction certain breaches. This will be particularly likely where there has been a serious breach to the right to privacy (Conseil d’Etat, 16 Oct. 2019, No. 433069).