Let's explore the new guidelines and recommendation in greater detail, with a particular focus around the key consent requirement.
In 2013, the CNIL issued guidelines on how these rules should be construed and applied by online operators. The General Data Protection Regulation, which entered into force on 25 May 2018, has changed the requirements for obtaining valid consent and, consequently, the CNIL decided that its 2013 guidelines should be updated.
The CNIL indicated that operators will benefit from a six months transitional period to achieve compliance with these new rules ie until the end of March 2021. During this transitional period, the CNIL won't, in principle, sanction practices which are contrary to its new guidelines, but only those that are contrary to the principles set out in its 2013 guidelines (which operators should already be compliant with).
However, the CNIL indicated that it reserves the right, under special circumstances, to sanction any breach of the new guidelines in the case such breach would result in a significant violation of privacy rights of data subjects.
In its deliberations, the CNIL focuses on the requirement of consent – ie when you are required to obtain consent, and how you do this in a valid way.
Under Article 82 of the French Data Protection Act, cookies or trackers can only be dropped and used on your site after the user has given their consent. However, prior consent is not required for cookies and trackers.
The CNIL's guidelines provide the following examples of cookies that are exempt from consent:
Audience measurement cookies can also be exempted from consent where they are essential to the proper functioning of the website or application and therefore to the provision of the service. To be considered as essential, your audience measurement cookies:
For consent-exempt audience measurement cookies, the CNIL further recommends that their duration is limited to 13 months; it argues that this allows you enough time for analysis based around audience comparison. The CNIL also makes it clear that the information you collect through audience measurement cookies must not be stored for longer than 25 months.
Considering GDPR, you need to ensure that the consent you obtain from users is informed, specific, free and unambiguous. In its guidelines and recommendation, the CNIL provides additional explanation on each of these requirements.
Requirement for informed consent
Requirement for specific consent
You must give users the opportunity to give their consent for each specific purpose.
The CNIL states that it's acceptable to offer the possibility for users to give their consent for all purposes at the same time (for example through an "accept all cookies" button) provided that:
Requirement for free consent
The CNIL requires you to make it as easy for users to give consent as it is to refuse consent. In this respect, the mechanism for expressing consent needs to be localised at the same level and presented in the same technical manner as the mechanism for expressing refusal.
The CNIL has also indicated that making the provision of a service or access to a website or application subject to the acceptance of cookies (ie practice of "cookie wall") "is likely" to prevent consent to be free "in some circumstances". This wording is the result of a decision of the French State Council (Conseil d'Etat) which censored the first version of the CNIL's guidelines issued on 4 July 2019 (French State Council, 10th – 9th chambers reunited, 19 June 2020, No. 430810).
In the first version of its guidelines released in July 2019, the CNIL advised that the validity of consent was subject to the condition that the user did not suffer major disadvantage in the event they refused or withdraw their consent. As an example of what such a major disadvantage could be, the CNIL supplied the example of a scenario where cookie walls make it impossible to access a website.
Consequently, the CNIL stated that cookie walls shall be prohibited under all circumstances. The French State Council censored this statement; it held that, by deducting such a general and absolute prohibition from the sole requirement of free consent set out in GDPR, the CNIL had gone beyond what it can legally do, in the context of a soft law instrument. That's why, in the new version of its guidelines, the CNIL had no other choice than to adopt a moderate approach with regards to cookie wall.
Requirement for unambiguous consent
You must make it possible for users to withdraw their consent easily and at any time.
In its guidelines, the CNIL outlines that any organisation dropping and using cookies or trackers needs to be in a position to prove that they have obtained valid consent from users.
In the event that organisations dropping cookies don't collect the consent themselves (ie for third-party cookies), the CNIL has confirmed that including a clause in the contract stating that it's the responsibility of the other party to collect valid consent is not sufficient.
Additionally, the CNIL recommends that you make proof that valid consent was collected available to to third parties, so that each controller can effectively check that valid consent was collected and demonstrate that it was, if necessary.
If you'd like to discuss any of the issues raised in this article in greater detail, please contact a member of our Data Protection and Cyber team.