CNIL Guidelines on Cookies and Other Trackers
Recently, it announced new guidance on cookies and online trackers (Guidelines). Operators of websites and devices, such as tablets or computers, (Operators) that fall under CNIL’s authority are required to comply with these Guidelines. CNIL has authority over information systems that process personal data in France. For Operators that process personal data across multiple member states, additional data protection authorities may have jurisdiction as well. Other Operators will benefit from reviewing the requirements for best practice purposes.
The Guidelines are particularly applicable to Operators’ use of HTTP cookies, as well as other technologies such as:
- Local shared objects frequently referred to as “Flash cookies;”
- Local storage;
- Fingerprinting identifications;
- Identifiers generated by operating systems, such as an Android ID; and
- Hardware identifiers, such as a MAC address.
These are most commonly used on websites, as well as devices, such as connected televisions and other devices connected to the Internet. Further, the Guidelines will apply to all Operators that process data for French residents.
France’s court ruling from earlier this year held that CNIL cannot completely forbid “cookie walls,” which are website designs that require a user to accept cookies before being able to access the contents of the website. However, CNIL has edited its Guidelines to state that the lawfulness of cookies walls must be assessed on a case-by-case basis. In the event that a cookie wall is used, the user should be clearly notified that it is impossible to access content without consent. Otherwise, the cookie wall or banner should shortly go away, so it does not interfere with the user’s access to the content or otherwise sway the user to consent.
Accept and Deny Options
CNIL states the following for ensuring appropriate consent is received:
- Equal Accessibility. In line with similar statements from other regulators, CNIL emphasizes that a “deny” or “refuse” option must be as equally accessible as an “accept” option when collecting consent.
- Design. The design of the consent options are also important, so the “deny” option should be just as large and prominent as the “accept” option. The formatting for each option should be identical or equivalent. Universal “accept all” or “refuse all” options are acceptable to capture multiple cookie purposes, if all purposes are clearly disclosed.
- Ability to Withdraw Consent. The ability to withdraw consent must also be readily available at all times. The Guidelines suggest a link titled “manage my cookies” or “cookie” where users can provide or decline consent at any time.
- List of Controllers. A list of data controllers and processors involved in collecting data should be made accessible to users. This list should be available at any time and in areas where users expect to find it.
Keep Decision for 6 Months, Then Renew Consent
CNIL recommends that operators retain user consent choices for six months, although retention periods may vary depending on the particular type of cookie. Operators should refrain from requiring users to provide consent for every new visit, as this may cause consent fatigue and infringe user’s freedom of choice. When determining the consent period, Operators may consider the nature of the site or application and expectations of the users.
Exempt From Consent Requirements
In one of its most helpful clarifications, CNIL provided examples of certain cookies that may be used without obtaining user consent. These are:
- Cookies for complimentary access to a sample of content;
- Audience measurement cookies, provided that the cookies don’t track users across multiple sites and only create anonymous measurements;
- Cookies storing users’ consent choice;
- Cookies for authentication and the security of authentication mechanisms, such as cookies that limit repeated password attempts;
- Cookies intended to store items in a shopping cart or for billing purposes;
- User interface customization cookies; and
- Language preference cookies.
Operators have a six-month transition period to comply with the Guidelines, until the end of March 2021. CNIL will then conduct audits and bring enforcement actions. As always, operators must also ensure that they are complying with both the ePrivacy Directive and the General Data Protection Regulation. The full text of the Guidelines is only available in French. The revised Guidelines are available here, the final recommendations are available here, and the FAQs are available here.
- Related Practices