Cookies and other trackers: French supervisor publishes amended guidelines & recommendations

Oct 8, 2020 12:00:00 AM | Cookies Cookies and other trackers: French supervisor publishes amended guidelines & recommendations

France's data protection supervisor, the Commission nationale de l'informatique et des libertés, (CNIL) announced on 1 October it’s amended guidelines on cookies and other trackers (‘trackers’) and it’s final non-binding recommendations. The CNIL amended it’s guideline after the French Council of State, the Conseil d’État, determined the ban on cookie walls in the previous version (dated 4 July 2019) was not valid. Publication of the guidelines and recommendations is highly relevant for organisations having an online presence in France, or whose websites are accessible in France.


Amended Guidelines 

The Guidelines are considered prescriptive as they explain already applicable rules such as the GDPR and ePrivacy directive. Organisations should have compliant practices by the end of March 2021 at the latest, while taking into account any operational difficulties.
Amongst other things, the amended guidelines contain the following: 

  • Information
Before consenting, individuals must be clearly informed of:

the purposes of the trackers

the consequences of an acceptance or rejection of trackers

the identity of all actors using trackers subject to consent

  • Website navigation
Individuals must consent to the deposit of cookies by a clear affirmative action (such as clicking on "I accept" on a cookie banner). Navigating a web page can not be considered as a valid expression of consent.
  • Essential cookies
If individuals do not consent to trackers via an affirmative action, only trackers essential for the operation of the service can be placed on their device.
The CNIL provided for some examples of essential trackers:

trackers intended for authentication with a service

those intended for storing the content of a shopping cart on a merchant’s site

trackers intended to generate traffic statistics

those allowing paid sites to limit free access

  • Refusal & Opt-out

    Refusing trackers should be as easy as accepting them. individuals should be able to withdraw their consent easily and at any time.
  • Proof of Consent

    Organisations using trackers must be able to provide, at any time, proof of the valid collection of the freely given, specific, informed and unambiguous consent of the user.
  • Cookie Walls

    The blocking of content for individuals who have not consented to trackers, are not banned, but are likely to undermine the freedom of individuals to consent. The question if  consent can be freely given and the cookie-wall is lawful must be assessed on a case-by-case basis.

In the data-driven world of today, businesses can just about only make informed decisions based on real traffic numbers. For a long time, it was unclear if consent was required for these trackers, some organisations requiring consent on their website, while some do not. It is therefore especially interesting that the CNIL regards trackers intended to generate traffic statistics as being essential and not requiring consent, albeit the CNIL only has jurisdiction in France of course. It is therefore interesting to see if other national supervisors will follow the CNIL, which seems to become the supervisor to follow after Brexit will remove the UK’s ICO from the EU-wide EDPB.

Recommendations

In addition, the Recommendations include practical information and examples concerning:

  • Providing information to individuals before obtaining their consent
  • The interface for refusing or withdrawing consent
  • The proof of consent
  • Operations exempt from the requirement of consent
  • Measures to ensure the transparent use of online trackers 

Concerning the interface, the CNIL recommends that consent banners not only include an “accept all” button but also a “refuse all” button. It remains to be seen if this isn’t already required by requiring that refusing trackers should be as easy as accepting them, since the “accept all” button is generally included and marks the lowest effort for consent that needs to be matched.

The CNIL further suggests that websites, which generally retain the consent to trackers for a certain period of time, also keep their refusal for a certain period, so as not to question the user again each visit.

In addition, so that the user is fully aware of the scope of his consent, the CNIL recommends that, when trackers allow monitoring on sites other than the site visited, consent be collected on each of the sites monitored. 

Resources (only in French)

  • Press release here
  • Amended Guidelines here 
  • Recommendation here 
  • FAQs here 
  • Guidance on the evolution of the rules on cookies here 
  • Guidance on bringing websites into compliance with the rules on cookies and trackers here
  • Guidance on obtaining information on the navigation of internet users here

 

Keep informed!

Sign up for the Weekly  Privacy and Security Digest now.