In a 16 December decision, the French data protection authority (the “CNIL”) issued new recommendations (French language only) on how businesses should implement the so-called “cookie consent law.”
The cookie consent law was one of the main features of November 2009 Telecoms Package that revised the 2002 ePrivacy Directive. The revised version of section 5(3) of the ePrivacy Directive provides:
[any use of] electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information.
This provision generated many questions as to the level of information required and the means of effectively obtaining the consent of users prior to the placement of cookies. Several authorities (e.g., the United Kingdom’s Information Commissioner’s Office and the Article 29 Working Party – see our blog entry of 16 October 2013) issued recommendations on the matter.
In December 2011, the CNIL published a brief article on implmentation of the cookie consent law. The new Recommendation on cookies summarizes the obligations to which website operators are subject and provides guidance to both professionals and internet users. It is the result of a recent study conducted by the CNIL in cooperation with the main French professional organizations. In addition to its Recommendation, the CNIL also published a set of frequently asked questions as well as technical tools and relevant source code (all French language only).
The most notable element of this recommendation is the fact that the CNIL adopts a more flexible approach to the fashion in which website publishers may obtain consent from users. Indeed, according to the Recommendation, the web publisher is required to put up a banner informing the user (i) about cookies and their purposes, (ii) the user’s ability to refuse some or all of the cookies by clicking on a link, and (iii) that continuing to navigate will constitute consent. The true novelty lies in the fact that, if the user clicks onward to navigate on that site, such click will be deemed to constitute valid consent. Previous positions from the CNIL clearly required that the user effectively clicked on a “yes” or “I consent” box before consent would be deemed valid.
The CNIL states that the term of validity of the cookies should not exceed a period of thirteen months. After the expiry of that period, a new consent should be obtained from the user.
The CNIL considers that web publishers and ad networksto be jointlyresponsible for compliance with the recommendations. Previously only web publishers were considered to beresponsible for compliance.
As before, analytics cookies are excluded from the opt-in, provided the user is informed and has the ability to opt-out. The CNIL also clarified the categories of cookies it considers to be strictly necessary for the provision of an online communication service as expressly requested by the user and therefore excluded from the requirements of the law. Such cookies include “shopping basket” cookies on a merchant website, session ID cookies for the term of the session, authentication cookies, multimedia player session cookies, load balancing cookies and persistent user interface customization cookies as well as some analytics cookies.
The recommendation published by the CNIL also provides guidance to internet users in the form of an educational video explaining what cookies are and what they are used for. It also provides practical guidance on how to block cookies and similar technologies.
Finally, the CNIL refers to a new tool which it has developed, Cookieviz. Cookieviz analyses the interactions between a computer, a browser, websites and servers and allows internet users to see where the information collected by the website they have accessed are sent.