On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.
We have set out below the key points to note from the CNIL’s revised guidance:
1. Not just guidance on cookies
The rules apply to operations aimed at accessing, by electronic transmission, information already stored in the subscriber’s or user’s terminal or to store information in this equipment.
Consequently, the guidance applies to the use of HTTP cookies but goes beyond by also covering the use of other techniques such as “local shared objects” (sometimes called “Flash cookies”), “local storage” implemented within HTML 5 or fingerprinting systems (hereafter referred to, collectively as “trackers”).
The guidance also clarifies that the rules apply to commonly used devices such as smartphones, tablets, fixed or mobile computers, connected vehicles, games consoles, smart TVs or voice assistants where trackers are used.
Finally, the CNIL recalls, like it did in its 2013 guidance, that the information (stored and/or accessed) does not have to be personal data within the meaning of the GDPR for the consent rule to apply.
2. Measures on how to obtain consent
There are two key changes:
- implied consent can no longer be relied on. In practice, this means that continuing to browse a website or use an app is no longer a valid expression of consent. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the user’s agreement (e.g. ticking a box would be accepted whereas pre-checked boxes would not). The guidance also clearly states that browser settings cannot, based on the current state of this technology, allow the user to express valid consent; and
- stakeholders operating trackers must implement mechanisms to demonstrate, at all times, that they have obtained the consent of users.
Among other key points to note from the guidelines in relation to consent:
- cookie walls (i.e. barring access to a website or mobile application for those who do not consent to being tracked) are generally prohibited;
- a global acceptance of general terms and conditions of use is not a valid method of obtaining consent since it cannot be given separately for each purpose;
- information must be written in simple terms that are understandable to all, and it must allow users to be fully informed of the different purposes of the trackers used. The information must be complete, visible and prominent when collecting the consent. A mere reference to the general conditions of use is not sufficient. In practice, users must receive, prior to the collection of their consent, at least the following information: (i) the identity of the controller(s), (ii) the purpose of the data processing activities, and (iii) the existence of the right to withdraw consent.
In light of the above, the CNIL specifies in its guidance that an exhaustive and regularly updated list of the entities using trackers must be made available to the user when collecting his/her consent; and
- it must be as easy to withdraw as to give consent. User-friendly solutions must therefore be implemented in that respect (the guidance does not, however, provide any practical advice or tips).
3. Exceptions to the consent rule
The exceptions as applied in 2013 continue to apply for the following trackers:
- those with the exclusive purpose of enabling or facilitating communication by electronic means (e.g. cookies allowing the detection of transmission errors or data loss); and
- those that are strictly necessary for the provision of an information society service at the express request of the user (e.g. shopping basket cookies for a merchant site or authentication cookies).
In some cases, audience measuring (e.g. analytics) trackers may be regarded as necessary for the provision of the service explicitly required by the user without being particularly intrusive to them, and may therefore not require consent. For instance, traffic statistics and tests to evaluate the performance of different versions of the same website enable publishers to detect browsing issues on their website or application. To benefit from this exemption, the guidance provides a strict list of requirements that must be met, including that:
(i) users must be informed of the use of these types of trackers in advance of using them;
(ii) the use of trackers must be strictly limited to the production of anonymous statistics and be subject to a limited lifespan; and
(iii) the personal data collected must not overlap with other processing operations (e.g. customer databases or statistics on visits to other websites) nor be transferred to third parties.
4. Status of the different actors using trackers
The guidance distinguishes between situations where different parties use trackers and therefore process personal data pursuant to the GDPR:
- Where the use of trackers involves just a single entity, that entity is fully responsible for the collection of consent (e.g. a website publisher who uses trackers for statistical purposes on the use of its service) and would be the sole data controller of any personal data it processes in connection with the trackers;
- Where several actors contribute to the reading or writing operations of trackers covered by the guidance (e.g. a website publisher and an advertising agency placing trackers when consulting a website), the guidance merely states that these entities may be considered as “unique” data controllers, joint controllers or data processors; and
- Third parties using trackers will be fully and independently responsible for the trackers they use and therefore for obtaining the consent of users, although in practice they may contractually require the website publisher to seek consent on their behalf.
An entity will be acting as a data processor if it enters information and/or accesses information stored in the terminal equipment of a subscriber or a user exclusively on behalf of a data controller and without further use of the data collected via the tracker on its own behalf. In this case, an agreement compliant with article 28 GDPR will have to be entered into.
These new guidelines closely follow the updated cookie guidance released by the UK ICO on 3 July 2019 (see our blog post here). Some key points are in line with the ICO guidance such as (i) the fact that implied consent is no longer acceptable, (ii) terms and conditions cannot be used as a method for obtaining consent, and (iii) that users must be able to identify all parties placing trackers in order for consent to be informed.
Although the CNIL has announced a 12 month “grace period” to comply with these new rules (as supplemented in 2020 in its press release dated 28 June 2019), it would be advisable, in light of the position other EU regulators are taking alongside the recent CJEU and national decisions, to start taking steps to comply with this new consent rule. International organizations in particular must be aware that this “grace period” initiative is not necessarily shared by other EU data protection authorities and this has already given rise to strong reactions in France, most notably from the French association named the “Quadrature du Net”, as mentioned in our last blog post here. We would therefore recommend that our clients review their current cookie practices along with their cookie policies in order to start their compliance process.
For more information, the CNIL’s press release is available here.
 On 29 July 2019, the association filed an appeal with the French Council of State against the CNIL’s decision to accept browsing of a website as an expression of consent to trackers during the grace period.