France's data protection supervisor, the Commission nationale de l'informatique et des libertés, (CNIL) announced on 1 October it’s amended guidelines on cookies and other trackers (‘trackers’) and it’s final non-binding recommendations. The CNIL amended it’s guideline after the French Council of State, the Conseil d’État, determined the ban on cookie walls in the previous version (dated 4 July 2019) was not valid. Publication of the guidelines and recommendations is highly relevant for organisations having an online presence in France, or whose websites are accessible in France.
The Guidelines are considered prescriptive as they explain already applicable rules such as the GDPR and ePrivacy directive. Organisations should have compliant practices by the end of March 2021 at the latest, while taking into account any operational difficulties.
Amongst other things, the amended guidelines contain the following:
• the purposes of the trackers
• the consequences of an acceptance or rejection of trackers
• the identity of all actors using trackers subject to consent
- Website navigation
- Essential cookies
The CNIL provided for some examples of essential trackers:
• trackers intended for authentication with a service
• those intended for storing the content of a shopping cart on a merchant’s site
• trackers intended to generate traffic statistics
• those allowing paid sites to limit free access
- Refusal & Opt-out
Refusing trackers should be as easy as accepting them. individuals should be able to withdraw their consent easily and at any time.
- Proof of Consent
Organisations using trackers must be able to provide, at any time, proof of the valid collection of the freely given, specific, informed and unambiguous consent of the user.
- Cookie Walls
The blocking of content for individuals who have not consented to trackers, are not banned, but are likely to undermine the freedom of individuals to consent. The question if consent can be freely given and the cookie-wall is lawful must be assessed on a case-by-case basis.
In the data-driven world of today, businesses can just about only make informed decisions based on real traffic numbers. For a long time, it was unclear if consent was required for these trackers, some organisations requiring consent on their website, while some do not. It is therefore especially interesting that the CNIL regards trackers intended to generate traffic statistics as being essential and not requiring consent, albeit the CNIL only has jurisdiction in France of course. It is therefore interesting to see if other national supervisors will follow the CNIL, which seems to become the supervisor to follow after Brexit will remove the UK’s ICO from the EU-wide EDPB.
In addition, the Recommendations include practical information and examples concerning:
- Providing information to individuals before obtaining their consent
- The interface for refusing or withdrawing consent
- The proof of consent
- Operations exempt from the requirement of consent
- Measures to ensure the transparent use of online trackers
Concerning the interface, the CNIL recommends that consent banners not only include an “accept all” button but also a “refuse all” button. It remains to be seen if this isn’t already required by requiring that refusing trackers should be as easy as accepting them, since the “accept all” button is generally included and marks the lowest effort for consent that needs to be matched.
The CNIL further suggests that websites, which generally retain the consent to trackers for a certain period of time, also keep their refusal for a certain period, so as not to question the user again each visit.
In addition, so that the user is fully aware of the scope of his consent, the CNIL recommends that, when trackers allow monitoring on sites other than the site visited, consent be collected on each of the sites monitored.
Resources (only in French)
- Press release here
- Amended Guidelines here
- Recommendation here
- FAQs here
- Guidance on the evolution of the rules on cookies here
- Guidance on bringing websites into compliance with the rules on cookies and trackers here
- Guidance on obtaining information on the navigation of internet users here