French data protection authority publishes new guidelines for using cookies and other trackers

Briefing

On 1 October 2020, the French Data Protection authority (the CNIL) published new guidelines on how you should use cookies and other trackers. This also included a recommendation outlining practical ways you can ensure compliance when cookies and trackers are used.

Let's explore the new guidelines and recommendation in greater detail, with a particular focus around the key consent requirement.

Cookies and trackers guidelines: the story so far

The use of cookies and trackers is currently regulated under Article 82 of the French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés) which implements under French law European Directive 2002/58/EC on privacy and electronic communications.

In 2013, the CNIL issued guidelines on how these rules should be construed and applied by online operators. The General Data Protection Regulation, which entered into force on 25 May 2018, has changed the requirements for obtaining valid consent and, consequently, the CNIL decided that its 2013 guidelines should be updated.

Out of this, two deliberations for the adoption of guidelines and a recommendation were issued on 17 September 2020 and published on 1 October 2020. While the objective of the guidelines is to clarify the law governing the use of cookies and trackers, the purpose of the recommendation is to guide you through the compliance process – particularly by providing practical examples of how compliance can be achieved.

The CNIL indicated that operators will benefit from a six months transitional period to achieve compliance with these new rules ie until the end of March 2021. During this transitional period, the CNIL won't, in principle, sanction practices which are contrary to its new guidelines, but only those that are contrary to the principles set out in its 2013 guidelines (which operators should already be compliant with).

However, the CNIL indicated that it reserves the right, under special circumstances, to sanction any breach of the new guidelines in the case such breach would result in a significant violation of privacy rights of data subjects.

Consent is the key focus

In its deliberations, the CNIL focuses on the requirement of consent – ie when you are required to obtain consent, and how you do this in a valid way.

What does the consent requirement cover?

Under Article 82 of the French Data Protection Act, cookies or trackers can only be dropped and used on your site after the user has given their consent. However, prior consent is not required for cookies and trackers.

designed solely to carry out or facilitate the transmission of a communication over an electronic communications network, or
which are strictly necessary to provide an online communication service explicitly requested by the user.

The CNIL's guidelines provide the following examples of cookies that are exempt from consent:

cookies that record the choice of the user to consent or not to the use of cookies
cookies used for authentication purposes
cookies that store the content of a shopping cart on an eCommerce website which allows the invoicing of the user for products and/or services
cookies used for the personalisation of the interface (eg choice of language) when such personalisation is an essential and expected as part of the service
cookies necessary for load balancing the equipment supporting a communication service, and
cookies used by commercial websites to limit free access to a sample of content requested by users (predetermined quantity and/or over a limited period of time).

The CNIL has said that even though the use of a cookie or tracker doesn't require the user's prior consent, users still need to be informed of the use of such cookies (and of their respective purpose) in the privacy or cookie policy.

Audience measurement cookies can also be exempted from consent where they are essential to the proper functioning of the website or application and therefore to the provision of the service. To be considered as essential, your audience measurement cookies:

must be used solely to measure the website or application's audience, exclusively for the publisher
won't allow the user to be tracked on different applications or websites, and
will only be used to produce anonymous statistical data, which must not be combined with other processing activities or disclosed to third parties.

For consent-exempt audience measurement cookies, the CNIL further recommends that their duration is limited to 13 months; it argues that this allows you enough time for analysis based around audience comparison. The CNIL also makes it clear that the information you collect through audience measurement cookies must not be stored for longer than 25 months.

Conditions to obtain valid consent

Considering GDPR, you need to ensure that the consent you obtain from users is informed, specific, free and unambiguous. In its guidelines and recommendation, the CNIL provides additional explanation on each of these requirements.

Requirement for informed consent

The user shall receive at least the following information before consenting to the use of cookies or trackers:

The identity of the data controller(s) responsible for dropping cookies (ie first party cookies and third-party cookies). In this respect, publishers shall provide an exhaustive list of all the third parties dropping cookies on their website or application and include a link to their privacy policies.
The purpose of the cookies/trackers. The CNIL recommends that publishers organise two level of information: a first level of information where each purpose is presented in a short, highlighted title with a brief description and a second level of information with a more detailed explanation of the purposes.
Clear indication on how to accept or refuse cookies/trackers. There must be no ambiguity on how to accept or refuse cookies/trackers.
Explanation on the consequences if the user refuses or accepts cookies/trackers.
The existence of a right to withdraw consent and explanation on how to exercise it.

Requirement for specific consent

You must give users the opportunity to give their consent for each specific purpose.

The CNIL states that it's acceptable to offer the possibility for users to give their consent for all purposes at the same time (for example through an "accept all cookies" button) provided that:

all purpose to which ther userconsents are listed so that the user understands the scope of his or her consent
the user is also provided with the possibility to refuse all cookies (eg with a "refuse all cookies" button) and
the user has the possibility to accept or refuse cookies/trackers purpose by purpose (eg with a third "cookie parameters" button).

The CNIL also points out that you can't rely on browser settings as a means for user's to provide valid consent. This means that you cannot consider users changing their browser's settings to accept or refuse cookies as providing valid consent either, since browser settings only allow users to accept or reject all cookies (and not to make a choice on a purpose-by-purpose basis).

Requirement for free consent

The CNIL requires you to make it as easy for users to give consent as it is to refuse consent. In this respect, the mechanism for expressing consent needs to be localised at the same level and presented in the same technical manner as the mechanism for expressing refusal.

The CNIL has also indicated that making the provision of a service or access to a website or application subject to the acceptance of cookies (ie practice of "cookie wall") "is likely" to prevent consent to be free "in some circumstances". This wording is the result of a decision of the French State Council (Conseil d'Etat) which censored the first version of the CNIL's guidelines issued on 4 July 2019 (French State Council, 10th – 9th chambers reunited, 19 June 2020, No. 430810).

In the first version of its guidelines released in July 2019, the CNIL advised that the validity of consent was subject to the condition that the user did not suffer major disadvantage in the event they refused or withdraw their consent. As an example of what such a major disadvantage could be, the CNIL supplied the example of a scenario where cookie walls make it impossible to access a website.

Consequently, the CNIL stated that cookie walls shall be prohibited under all circumstances. The French State Council censored this statement; it held that, by deducting such a general and absolute prohibition from the sole requirement of free consent set out in GDPR, the CNIL had gone beyond what it can legally do, in the context of a soft law instrument. That's why, in the new version of its guidelines, the CNIL had no other choice than to adopt a moderate approach with regards to cookie wall.

Requirement for unambiguous consent

The CNIL underlines that, in line with Article 4(11) GDPR, consent must be expressed through a positive action of the user. Even if a user continues viewing a website after being informed of the use of cookies, you can no longer interpret this as valid consent. You need to collect consent through an opt-in mechanism – eg ticking a box (bearing in mind that pre-ticked boxes are prohibited) or sliders deactivated by default.

Withdrawal and duration of consent

You must make it possible for users to withdraw their consent easily and at any time.

The CNIL now requires you to save the choices expressed by users (ie whether they accept or refuse the use of cookies) for a minimum period of time, so that consent is not sought again too often. At the same time, the CNIL will allow users to "forget" this data. As such, you'll need to renew the collection of consent on a regular basis. In general, the CNIL suggests implementing a six-month validity period before seeking consent again.

Proof of consent

In its guidelines, the CNIL outlines that any organisation dropping and using cookies or trackers needs to be in a position to prove that they have obtained valid consent from users.

In the event that organisations dropping cookies don't collect the consent themselves (ie for third-party cookies), the CNIL has confirmed that including a clause in the contract stating that it's the responsibility of the other party to collect valid consent is not sufficient.

Additionally, the CNIL recommends that you make proof that valid consent was collected available to to third parties, so that each controller can effectively check that valid consent was collected and demonstrate that it was, if necessary.