2020年10月16日
On 1 October 2020, the French Data Protection authority (the CNIL) published new guidelines on how you should use cookies and other trackers. This also included a recommendation outlining practical ways you can ensure compliance when cookies and trackers are used.
Let's explore the new guidelines and recommendation in greater detail, with a particular focus around the key consent requirement.
The use of cookies and trackers is currently regulated under Article 82 of the French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés) which implements under French law European Directive 2002/58/EC on privacy and electronic communications.
In 2013, the CNIL issued guidelines on how these rules should be construed and applied by online operators. The General Data Protection Regulation, which entered into force on 25 May 2018, has changed the requirements for obtaining valid consent and, consequently, the CNIL decided that its 2013 guidelines should be updated.
Out of this, two deliberations for the adoption of guidelines and a recommendation were issued on 17 September 2020 and published on 1 October 2020. While the objective of the guidelines is to clarify the law governing the use of cookies and trackers, the purpose of the recommendation is to guide you through the compliance process – particularly by providing practical examples of how compliance can be achieved.
The CNIL indicated that operators will benefit from a six months transitional period to achieve compliance with these new rules ie until the end of March 2021. During this transitional period, the CNIL won't, in principle, sanction practices which are contrary to its new guidelines, but only those that are contrary to the principles set out in its 2013 guidelines (which operators should already be compliant with).
However, the CNIL indicated that it reserves the right, under special circumstances, to sanction any breach of the new guidelines in the case such breach would result in a significant violation of privacy rights of data subjects.
In its deliberations, the CNIL focuses on the requirement of consent – ie when you are required to obtain consent, and how you do this in a valid way.
Under Article 82 of the French Data Protection Act, cookies or trackers can only be dropped and used on your site after the user has given their consent. However, prior consent is not required for cookies and trackers.
The CNIL's guidelines provide the following examples of cookies that are exempt from consent:
The CNIL has said that even though the use of a cookie or tracker doesn't require the user's prior consent, users still need to be informed of the use of such cookies (and of their respective purpose) in the privacy or cookie policy.
Audience measurement cookies can also be exempted from consent where they are essential to the proper functioning of the website or application and therefore to the provision of the service. To be considered as essential, your audience measurement cookies:
For consent-exempt audience measurement cookies, the CNIL further recommends that their duration is limited to 13 months; it argues that this allows you enough time for analysis based around audience comparison. The CNIL also makes it clear that the information you collect through audience measurement cookies must not be stored for longer than 25 months.
Considering GDPR, you need to ensure that the consent you obtain from users is informed, specific, free and unambiguous. In its guidelines and recommendation, the CNIL provides additional explanation on each of these requirements.
Requirement for informed consent
The user shall receive at least the following information before consenting to the use of cookies or trackers:
Requirement for specific consent
You must give users the opportunity to give their consent for each specific purpose.
The CNIL states that it's acceptable to offer the possibility for users to give their consent for all purposes at the same time (for example through an "accept all cookies" button) provided that:
The CNIL also points out that you can't rely on browser settings as a means for user's to provide valid consent. This means that you cannot consider users changing their browser's settings to accept or refuse cookies as providing valid consent either, since browser settings only allow users to accept or reject all cookies (and not to make a choice on a purpose-by-purpose basis).
Requirement for free consent
The CNIL requires you to make it as easy for users to give consent as it is to refuse consent. In this respect, the mechanism for expressing consent needs to be localised at the same level and presented in the same technical manner as the mechanism for expressing refusal.
The CNIL has also indicated that making the provision of a service or access to a website or application subject to the acceptance of cookies (ie practice of "cookie wall") "is likely" to prevent consent to be free "in some circumstances". This wording is the result of a decision of the French State Council (Conseil d'Etat) which censored the first version of the CNIL's guidelines issued on 4 July 2019 (French State Council, 10th – 9th chambers reunited, 19 June 2020, No. 430810).
In the first version of its guidelines released in July 2019, the CNIL advised that the validity of consent was subject to the condition that the user did not suffer major disadvantage in the event they refused or withdraw their consent. As an example of what such a major disadvantage could be, the CNIL supplied the example of a scenario where cookie walls make it impossible to access a website.
Consequently, the CNIL stated that cookie walls shall be prohibited under all circumstances. The French State Council censored this statement; it held that, by deducting such a general and absolute prohibition from the sole requirement of free consent set out in GDPR, the CNIL had gone beyond what it can legally do, in the context of a soft law instrument. That's why, in the new version of its guidelines, the CNIL had no other choice than to adopt a moderate approach with regards to cookie wall.
Requirement for unambiguous consent
The CNIL underlines that, in line with Article 4(11) GDPR, consent must be expressed through a positive action of the user. Even if a user continues viewing a website after being informed of the use of cookies, you can no longer interpret this as valid consent. You need to collect consent through an opt-in mechanism – eg ticking a box (bearing in mind that pre-ticked boxes are prohibited) or sliders deactivated by default.
You must make it possible for users to withdraw their consent easily and at any time.
The CNIL now requires you to save the choices expressed by users (ie whether they accept or refuse the use of cookies) for a minimum period of time, so that consent is not sought again too often. At the same time, the CNIL will allow users to "forget" this data. As such, you'll need to renew the collection of consent on a regular basis. In general, the CNIL suggests implementing a six-month validity period before seeking consent again.
In its guidelines, the CNIL outlines that any organisation dropping and using cookies or trackers needs to be in a position to prove that they have obtained valid consent from users.
In the event that organisations dropping cookies don't collect the consent themselves (ie for third-party cookies), the CNIL has confirmed that including a clause in the contract stating that it's the responsibility of the other party to collect valid consent is not sufficient.
Additionally, the CNIL recommends that you make proof that valid consent was collected available to to third parties, so that each controller can effectively check that valid consent was collected and demonstrate that it was, if necessary.
If you'd like to discuss any of the issues raised in this article in greater detail, please contact a member of our Data Protection and Cyber team.
作者 Marc Schuler 以及 Benjamin Znaty