Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

The French Data Protection Authority Gets Ahead of the Game With New Rules on Cookie Consent Before the ePrivacy Regulation Reaches its Final Draft

The French Data Protection Authority (the CNIL) has made targeted online advertising a priority topic in its 2019-2020 agenda and has changed its position on cookie consent. Although the ePrivacy Regulation is still being debated by EU legislators and is far from being finalised, the CNIL has withdrawn its 2013 cookie recommendation and announced  that it will publish new guidelines (announcements are available in English on the CNIL’s website here and here). These explicitly rule out the use of implied or “soft” consent to place cookies on users’ devices.

Until now, the CNIL’s 2013 cookie recommendation was widely followed in France. It accepted that consent to the use of cookies could be regarded as having been provided when website users decided to keep on browsing a website after a cookie banner had been displayed to them. However, recent CNIL sanctions for failing to obtain valid consent from website or app users had cast some doubt on the CNIL’s position. Following these decisions, there has been much uncertainty regarding the requirements for the proper collection of consent for cookies and similar tracking technologies, and regarding the possibility of continuing to rely on the 2013 cookie recommendation.

In its 28 June announcement on the new guidelines on the use of cookies for direct marketing purposes, the CNIL took account of the EDPB’s guidelines on consent and explicitly excluded continued browsing on a website as a valid expression of consent.

The CNIL will issue its guidance in two phases:

  • it will publish its new guidelines on cookies in July 2019; and
  • between July and November 2019, it will work alongside industry groups and other stakeholders (advertisers, adtech intermediaries, publishers etc.) to finalize its recommendations (including on practical mechanisms for obtaining consent).

The final recommendations will be released by January 2020 and organizations will have six months (until June 2020) to achieve compliance. The exact content of the guidelines is as yet unknown, but an active expression of consent will almost certainly be required before cookies can be placed.

This means that the CNIL is effectively offering a 12-month transition period to stakeholders. During this transition period, consent should still be regarded as valid if website users decided to keep browsing after a cookie banner is displayed to them. The CNIL will continue to investigate complaints and, if necessary, check, among other things, that no cookies are placed before ‘consent’ is obtained. From June 2020, however, implied or “soft” consent will no longer be accepted.

For its part, the CNIL has already modified its own website in accordance with its new recommendations, removing the cookie banner and placing no cookies until the user has given his or her consent actively by going to the cookie management module. The UK Information Commissioner’s Office has recently made alterations to its own website relating to the use of cookies. In its recent report on Adtech and Real Time Bidding, the ICO suggested that it will continue to engage with the adtech industry and that it may undertake a further industry review in six months, depending on what it finds.