On 19 July the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020).
The Scope of the Guidelines
The new guidelines apply to all types of operations involving cookies and trackers on any type of device, including smartphones, computers, connected vehicles and any other object connected to a telecommunications network open to the public.
Giving Consent – no more soft opt in
The guidelines clarify that cookies and trackers cannot be used until the user has expressed his or her freely given, specific, informed and unambiguous consent. In order to be validly obtained, consent must fulfil the following conditions:
- Freely Given: The user should not suffer any major inconvenience if they refuse to give or withdraw their consent. The practice of blocking access to a website or a mobile application unless consent is provided does not comply with the GDPR.
- Specific: The user must give his or her consent specifically for each distinct purpose. Blanket acceptance of general terms and conditions of use does not constitute valid consent.
- Informed: Information provided to users must be clearly and simply written, enabling users to be fully informed about the different purposes of the cookies and/or trackers used. The information must be complete and conspicuously visible at the time of obtaining consent. If information is necessary for informed decision-making, it should not only be provided in terms and conditions.
- Unambiguous: Consent should require a positive action to opt in. Merely continuing to browse a website, use a mobile application or scroll down the page of a website or a mobile application can no longer be considered as valid consent. Similarly, the use of pre-checked boxes and/or the blanket acceptance of terms and conditions cannot be considered valid consent.
- Revocable: Users should be able to withdraw their consent at any time. User-friendly solutions must therefore be implemented to allow users to withdraw their consent as easily as they have given it.
Operators’ Roles and Responsibilities
An operator using cookies and trackers is considered to be a controller and is therefore fully responsible for obtaining valid consent. Third parties using cookies and trackers are independently responsible for obtaining valid consent.
The guidelines do not require prior consent:
- when cookies or trackers are used exclusively to facilitate communication by electronic means; or
Regarding cookies and/or trackers used to measure traffic or test different versions of the site or application, the CNIL guidelines provide that the purpose of the system measuring traffic, to be exempted, must be limited to (i) audience measurement of the content viewed in order to allow the evaluation of published content and the ergonomics of the site or application, (ii) segmentation of the website audience into cohorts in order to evaluate the effectiveness of editorial choices, without this leading to targeting a single individual and (iii) dynamic modification of a site in a global way. The personal data collected must not be cross-referenced with other processing operations (customer data or statistics on visits to other sites, for instance) or provided to third parties. The use of trackers must also be strictly limited to the production of anonymous statistics. The scope of such system must be limited to a single website or mobile application publisher and must not allow the tracking of the website user’s browsing on other websites or mobile applications.
Users must, however, still be informed about the existence of such cookies or trackers and their purpose.
Operators have six months from the publication of the CNIL’s final guidelines, (expected at the beginning of next year) to comply with the new rules. Notwithstanding this grace period, however, the CNIL will continue to monitor and enforce compliance with existing and unchanged data protection rules.