Cookies and similar technologies: pending EU e-Privacy Regulation, the CNIL steps in
The French regulator (the CNIL) unveils its new doctrine on cookies
22 October 2020
This article takes a look at the new rules and guidance on cookies.
CNIL's original recommendations on cookies and similar technologies were issued in 2013, pre GDPR, so had become outdated.
Against this background, the CNIL has issued new guidelines on cookies and practical recommendations to help stakeholders on the implementation of such guidelines.
The new guidelines and recommendations aim at upgrading cookie rules in France, by implementing GDPR requirements into the cookie environment – "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her." (Recitals 32 of the GDPR).
By application of these new rules, the President of the CNIL (Marie-Laure Denis) expects two major improvements: (i) a much clearer and more transparent information on cookie purposes and (ii) a major simplification of cookie refusal processes.
However, members of the online advertising industry are concerned by a possible increase of cookie refusals, which would undermine personalized communications, and thus advertising revenues. Moreover, the online advertising industry will have a significant amount of work to do in order to bring websites and applications into compliance with the new rules, which we explore below.
Pursuant to the GDPR, a user shall be provided with a genuine free choice and have the faculty to refuse or withdraw his/her consent with no consequences. Moreover, the user shall have the possibility to give his/her consent for each relevant purpose of processing that is based on consent.
In this perspective, the CNIL considers that:
- Cookie walls may, in certain circumstances, constitute a breach to freedom of consent. In any case, users should be clearly informed of the consequences of his/her choice, notably the fact that he/she would not able to access the relevant website where he/she does not give his/her consent to cookies.
- Single consent forms covering several purposes of processing are problematic, as they do not allow users to freely choose which cookie purposes they accept, putting them in a situation where they have to consent to a bundle of purposes.
Organisations should, to the extent possible, avoid legal and technical jargon, and at least provide information on the following:
- Identity of the controller;
- Cookie purpose;
- Process for accepting or refusing cookies;
- Consequences for not accepting cookies; and
- The existence of a right to withdraw consent.
Advertising industry professionals have expressed concern regarding these requirements, notably in respect of the designation of the controllers, given the difficulty to be comprehensive in the advertising ecosystem and the fact that the list of concerned stakeholders is evolutive.
A clear affirmative action – Continued browsing is not valid consent
According to the CNIL, the mere continued browsing on a website or use of a mobile application cannot amount to a valid cookie consent.
Cookie consent must result from a clear affirmative action of the user, such as clicking on an "I accept" button in a cookie banner or ticking a slider button.
Though this requirement has been anticipated by organisations with entry into force of the GDPR to a certain extent, this constitutes a major shift in cookie practice as the CNIL previously considered continued browsing as valid (implicit) consent.
Organisations shall always be in a position to demonstrate that they have obtained a free, informed, specific and unambiguous cookie consent from the user.
Exemptions from consent
Consent is not required for cookies (i) whose exclusive purpose is to enable or facilitate electronic communications or (ii) which are strictly necessary for the provision of online communication services requested by users (the "Exempted Categories").
The CNIL gives examples of cookies for which consent is not required, such as cookies used for authentication, shopping carts, customization of a user interface (e.g. choice of language), audience measurement (where exclusively aiming at enhancing performance of the website).
Advertising professionals have sought extension of the list of exempted cookies, for instance to cover 'capping cookies' (cookies aiming at avoiding the repetition of an advertisement to the same user), cookies for personalisation of editorial content and cookies for fight against money laundering. However, the CNIL rejected these requests, on the ground that such cookies would not fall into the scope of the Exempted Categories.
Cookies and data protection
The CNIL recalls that where personal data are processed when using cookies, GDPR and other applicable data protection rules have to be complied with.
Among others, the roles of the relevant stakeholders (e.g. website publishers, advertising sales agencies, social networks) have to be determined and their relationships have to be framed as appropriate (e.g. through controller-to-processor or joint-controller arrangements).
CNIL's enforcement strategy
The CNIL indicates that organisations benefit from a 6-month's 'grace period' to comply with the new guidelines, i.e. until March 2021.
In the meantime, the CNIL will:
- Favour pedagogy, taking into account operational difficulties encountered by stakeholders while doing their best efforts to comply with the guidelines.
- Pursue serious privacy violations and breaches to cookie rules, as provided for before entry into force of the GDPR (e.g. provision of information on the cookies used, the faculty to reject cookies, the obligation to obtain consent for the majority of cookie categories).
CNIL's approach is welcome, as it clarifies the effect of the GDPR on the cookie environment, in a pragmatic manner, notably with concrete recommendations to help marketing professionals in addressing these new requirements – building bridges between privacy professionals and the marketing community have proven fundamental when deploying the GDPR.
That said, with the development of national doctrines, the risk of fragmentation of the cookie legal regime across the EU remains, pending adoption of the ePrivacy regulation.