CNIL (French Data Protection Authority): Updated cookie guidelines - July 2019
On June 28 2019, the CNIL (French Data Protection Authority) announced its plan of action for the year 2019/2020 and decided to better control online advertising targeting.
The guidelines of the European Data Protection Board (EDPB) on consent have strengthened the conditions of valid consent and have therefore rendered obsolete the previous CNIL recommendations on the subject. As a result, he CNIL has adopted new guidelines on cookies and other trackers on July 4, 2019 and withdrew its 2013 recommendations which was no longer compliant with the General Data Protection Regulation (GDPR).
The CNIL is allowing a twelve month transitional period for operators after the publication of its new guidelines to become compliant, but only for the points that diverge from the previous 2013 directives.
Concurrently, consultations with professionals are scheduled from September 2019 to January 2020 in order to publish (in early 2020) a final recommendation proposing the operational modalities for the collection of consent. Operators will have 6 months to comply after this publication.
New CNIL guidelines
The deliberations of July 4, 2019 includes a total of 7 articles.
Article 1
This article begins by clarifying the scope of the guidelines. It applies to "all operations intended to access, by electronic transmission, information already stored in the subscriber's or user's terminal or to enter information in that equipment".
This includes all trackers that are deposited on mobile, tablet, computer, television or video game console and more generally on any device connected to a telecommunications network open to the public. The CNIL says that this regulation applies to all data including data that is not personal data. It is, therefore, necessary to obtain end-user consent for the tracker deposit, even if the information collected is not personal data. Additionally, all personal data processing on these trackers is subject to the GDPR.
Article 2
The CNIL states the cases in which the collection of consent is considered valid. As a first step, it asserts that consent is valid only if the end-user does not suffer major inconveniences in the case of refusal or withdrawal of consent. It reminds operators that it is not GDPR-compliant to block access to the site or app if the end-user refuses to give consent.
There is uncertainty about the legality of cookie walls for now and is handled on a case by case basis. In response to end-user complaints, the CNIL can investigate and invalidate cookie walls if necessary.
Consent must be specific for each different purpose and these must be simple and understandable. It is still acceptable to let the end-user to accept all purposes with a single button but must also allow them to make granular/specific consent choices as well (i.e. an "Accept All" button must also be accompanied by a link that allows the end-user to make granular choices). As such, acceptance of the terms and conditions is not considered a valid consent for cookie deposits.
Before the collection of consent, the identity of the controller, the purposes (texts containing all the purposes), the partners present on the site (link on the first page to view the partners), and the existence of the right to withdraw consent must be clearly visible.
The CNIL considers that continuing to browse the website/application or scrolling through the page of a site or application are not clear positive actions and, therefore, do not constitute valid consent.
Publishers must also be able to prove at any time the existence of valid consent. When publishers use a subcontractor for this, a simple clause is not enough to fulfill this obligation.
Article 3
The CNIL specifies that the actors depositing trackers/cookies on the website of a publisher and processing data on their behalf may be data controller.
Article 4
The browser's setting is not sufficient and does not allow the user to give valid consent.
Article 5
Some trackers like audience measurement or optimization can be regarded as essential cookies and thus can be exempted of consent only under certain strict conditions.
Article 6
Trackers that are strictly necessary for the provisioning of the service at the request of the user and those for providing or facilitating communication do not need consent.
Article 7
This article overturns the old directive of the CNIL of 2013.
A crucial takeaway from the new recommendations is that it is no longer acceptable to collect consent through continuing to browse the website and that each publisher must be able to prove at any time that they obtained the consent in question with respect to the legal requirements.
Moreover, even if the CNIL gives publishers a transitional period to comply with these new requirements, it will check that no cookies are dropping before user consent.
Last updated