CNIL (French Data Protection Authority): Recommendations draft - January 2020
On July 4th, 2019, the CNIL (French Data Protection Authority) published new guidelines about cookies and other trackers to replace its previous recommendations of 2013 that have become obsolete with GDPR. From September 2019 to January 2020, a period of consultation with professionals in the sector was conducted to gather opinions on the different questions at stake and better understand the market issues.
On January 14th, 2020, the CNIL launched a public consultation on its draft recommendations "Cookies and other trackers" that details the practical methods for consent collection according to its directive of July 2019. This consultation will end on February 25th and the final recommendations will be voted upon. However, the CNIL will allow a transition period that will end in September 2020 for companies to enforce these new recommendations.
Didomi is building out all of the options to comply with the new requirements from the CNIL and will make them available in the Didomi console. Your organization will need to enable these new features if you want to use them. We recommend that all French publishers or publishers with traffic from France activate those options.
Below are several important elements that your organization will need to implement in order to obtain valid consent according to the CNIL:
To summarize, here is what you must display in the first layer of a consent notice:
The list of detailed purposes.
The list of data controllers who process the data collected.
The list of sites/applications for which consent is collected.
The ability of withdrawal at any time.
If consent is requested globally, an "I accept all" button and an "I refuse all" button.
The lifetime of cookies and possibly the categories of data collected are considered as "best practices.
Informed consent
It is still possible to collect consent globally at the first layer of a consent notice. The purposes must be clear, comprehensive and it must be possible to globally accept but also to globally refuse all the cookies. A link presenting the detailed purposes must be proposed to the end-user, it can allow the information to be displayed directly on the first layer or refer to the second layer of the consent notice. End-users must also be informed of which data controllers process their data on the first layer of information. A link to this list which is easily accessible by users is recommended.
It is not necessary to ask again for end-user consent each time a new partner is added, except in the case of a substantial "qualitative or quantitative" addition. On the other hand, a link must be available to end-users so that they can keep themselves informed about the partners' updates. This link can be included in the module which allows to re-display the consent collection banner. The CNIL proposes to change the color of the link leading to partners to warn users of a change in the list. If a collection of end-user consent is shared between domains or apps, end-users must be informed on the first layer of information of the other websites and applications for which their consent is collected.
Free consent
For the consent to be free, the "Accept All" button present at the first layer of a consent notice must come with a "Refuse All" button. The buttons must have the same visual appearance and the same size so as to not influence the choice of the end-user. The presence of a simple "Learn more" link next to the "Accept Al" button is not sufficient. It must be as easy to accept as to refuse for the end-user.
The end-user must not be penalized and suffer prejudice if they refuse the trackers. The refusal must be registered for the same period as if they had accepted in order not to represent the banner too frequently and therefore not to influence the end-user's choices.
It also remains possible not to choose immediately, for example by adding a cross or a button "Set my cookies later". No cookie should be placed until the user has clicked on "I accept" or has configured their choices. End-users can be asked for consent until they have made a choice.
Specific consent
All purposes must be presented in details (e.g. via a link or drop-down text below the purpose). Specific consent by purpose must be possible and can be offered within a second layer of the consent notice. The text leading to the second view should be clear (we recommend "Learn more about cookies" or "Configure my cookies").
Unambiguous consent
The accept and refuse buttons must have a similar or even identical design. No visual design should influence the end-user's choice.
Withdrawal and duration of the consent
End-users must be informed on the first layer of the possibility to withdraw their choices at any time. The link that allows them to change their choices must be accessible on all pages in a visible place and throughout the navigation duration. The text referring to the consent collection banner must be clear and intuitive, such as "Manage my cookies" or "Cookie preferences".
Users should also be informed about the lifetime of cookies. Concerning the duration of the consent, the CNIL says 6 months after which it would be necessary to request consent again from the end-user.
Proof of consent
It is necessary to be able to provide proof of the end-user's consent. The data must be precise and must indicate the date, time, version of the consent notice used and the sites/applications on which consent has been given.
However, only the necessary information has to be collected after consent. The CNIL suggests that a cookie should be created and associated for each specific purpose.
Last updated