Using cookies in France
The data controller will only be allowed to use a cookie if the above steps are complied with and the user consents to the proposed use.
Cookies not governed by law
- cookies used in virtual shopping baskets on an e-commerce website;
- sessionID cookies enabling actions of the user to be linked where it is necessary to provide the service;
- cookies where the sole purpose is to secure the service required by the user;
- cookies enabling registration of the user's language preference or other preferences necessary for the provision of the service;
- Flash cookies containing elements that are strictly necessary for the use of a media player (audio or video) in relation to the context required by the user.
The role of the data controller
The data controller is the one who is responsible for informing the user and obtaining their consent in relation to cookies they intend to use. However, the data controller can pass these obligations on to a third party representative, for example, the advertiser in the event of third party advertising or, where the data controller is based outside of France, it may choose to elect a representative in France to discharge its obligations. Despite passing on obligations to a third party, a data controller will be held liable where the third party does not comply with the cookie requirements. It is therefore important that where a data controller subcontracts to a third party or allows a third party to place cookies on its website, a formal agreement should be entered into, which clearly sets out each parties' obligations and, where possible, indemnifies the data controller.
Consent is considered adequate if it is given freely by the user. Consent must be in relation to a specific cookie with a clear purpose, which the user has been informed of and been given the opportunity to reject.
Below are examples of valid consent processes:
- a banner on the header of a web page;
- a 'consent' section superimposed on the website; or
- a tick box to select before subscribing to an online service.
An example of where a web browser has developed a new mechanism enabling users to express their privacy preferences in relation to cookies can be seen from the Mozilla "do not track" mechanism. A cookie can be used to memorise a user's refusal to receive cookies.
What to avoid
A web browser which accepts any and all cookies without distinguishing between them would not fulfil the data controller's obligations under current law. However, parameterisation of web browsers can be modified in order to allow the user to choose which cookies are accepted and for what purpose. The CNIL has expressed concerns that website parameterisation does not provide the user with clear and complete information about the proposed cookies before consent is given and that the mechanism is hard to implement. Mechanisms like 'pop-ups' should not be used to obtain consent as they are often blocked by web browsers.
The CNIL may issue fines of up to €300,000 for failure to comply with the law. In relation to complaints or inspections, the CNIL will take into account the data controller's actions to achieve compliance.
"The CNIL may issue fines of up to €300,000 for failure to comply with the law. In relation to complaints or inspections, the CNIL will take into account the data controller's actions to achieve compliance."