The CNIL has published draft recommendations on how to obtain consent when placing cookies. This is following the publication of its revised “Guidelines on the implementation of cookies or similar tracking technologies” which was published in July 2019 (see our article here).
The objective of the recommendations is to provide stakeholders with practical guidance and illustrative examples. These recommendations are neither exhaustive nor binding and data controllers are free to consider other practical measures as long as they comply with the revised rules as provided by the CNIL in July 2019. The CNIL also provides a number of “good practices” that will enable businesses to go even further in their compliance process.
Scope of consent
Consent is required for all cookies other than those necessary for the use of the website/app, whether they are used in “logged” or “un-logged” environments, and whether they are implemented by the website/app operator or a third party[1].
First, information
Before collecting consent, data controllers must ensure that proper information has been provided to users.
On a first layer of information, websites/app operators are recommended to provide information about:
(i) the purposes of the cookies (a title and a short description would suffice);
(ii) the number of data controllers who have access to the cookies (and associated data);
(iii) whether a user’s consent is also valid for tracking his/her navigation throughout other websites or apps (and which ones); and
(iv) the right to withdraw consent at any time and how (the CNIL recommends using descriptive and intuitive titles, such as “Cookie Management Form” or “Manage My Cookies”).
This information must be provided in a clear, easily accessible and exhaustive manner before seeking the user’s consent.
From this first layer, the user should be able to easily access further, more detailed information such as:
(i) a detailed description of each purpose of the cookies (e.g. via a scroll button or a hypertext link, marked “find out more” or “for more information”), and
(ii) an up-to-date list of the data controllers, their roles, and a link to their privacy policies:note that only substantial modifications to this list will require a new consent. Moreover, as good practice, the CNIL discourages the use ofmasking techniques hiding the identity of the entity using the cookies, such as sub-domain delegation.
The CNIL recommends that this information is accessible on all pages of the website and placed in fields of the screen that catch the attention of users or in areas where they expect to find it. Standardised icons should be use to this end.
Obtaining valid consent
Unsurprisingly, the CNIL applies the GDPR criteria for consent: it must be freely given, specific, informed and unambiguous. The CNIL’s main recommendations are that:
- Consent should be sought purpose by purpose. Nevertheless, this does not prevent the user from giving global consent to all the purposes of the processing provided that the user has: (i) been presented with all the purposes beforehand; (ii) also been given the opportunity to give consent purpose by purpose; and (iii) can easily refuse all the purposes at the same time on the same conditions. The CNIL also recommends the use of different cookies for each distinct purpose and the use of explicit and standardised names for cookies (e.g. functionality cookies, advertising cookies, etc).
- Data subjects must be able to consent or withhold their consent with the same degree of simplicity. This implies that the acceptance and refusal mechanisms should be at the same level on the web page and be presented in the same technical manner and that no negative consequence should arise from the user’s refusal to consent to the implementation of cookies.
- If the user refuses to consent to the use of cookies, his consent will not have to be sought again for a certain period of time. The CNIL considers this time period must be identical to the duration for which the consent would have been recorded.
- Finally, the CNIL stresses the importance of a neutral design and prohibits deceptive practices that are likely to mislead the user by, for example, suggesting that user acceptance is mandatory. In this respect, it is recommended that a simple consent procedure such as tick boxes be used.
- The CNIL recommends that consent be renewed at appropriate intervals (e.g. every 6 months).
The “double proof” of consent
The controller must at all times be able to prove that:
1. the individual gave their consent, e.g. via a timestamp of the consent, the context in which the consent was collected, the type of consent collection mechanism used, and the purposes to which the user has consented ; and
2. the consent mechanism meets all the requirements set out above, e.g. via deposit of the source code of the website/app from which the consent is collected with a third-party escrow agent to create a dated proof that the consent mechanism exists, screenshots of the consent interface or regular audits.
This draft is subject to public consultation until February 25, 2020 and a final version should be released soon after.
Our take
Regulators across the EU are taking an increasingly strict approach to the rules on cookies. The adtech industry is already reacting to the consequences of this reality. Google, for example, has recently announced its intention to block third-party cookies in Chrome web browsers within two years, following the example of its competitors Safari and Firefox.
In France, the CNIL has announced a transition period of 6 months from the publication of the final recommendation (following the public consultation). Website operators still have until the end of the summer of 2020 before risking any sanction. However, international organisations should be aware that, so far, other EU data protection authorities have issued substantially similar recommendations and have not granted a period of grace for the implementation of these recommendations.[1] Therefore, it is advisable to start reviewing internal cookie practices and policies in order to comply with the CNIL’s recommendations and “good practice”.
[1] In October 2019, the Spanish data protection authority fined Vueling Airlines EUR 30,000 for not giving users of their platform the possibility to refuse cookies and trackers.
[1] The CNIL follows the CJEU approach in the Fashion ID case (see our article on the subject here)
