France's data protection supervisor, the Commission nationale de l'informatique et des libertés, (CNIL) announced on 1 October it’s amended guidelines on cookies and other trackers (‘trackers’) and it’s final non-binding recommendations. The CNIL amended it’s guideline after the French Council of State, the Conseil d’État, determined the ban on cookie walls in the previous version (dated 4 July 2019) was not valid. Publication of the guidelines and recommendations is highly relevant for organisations having an online presence in France, or whose websites are accessible in France.
Amended Guidelines
The Guidelines are considered prescriptive as they explain already applicable rules such as the GDPR and ePrivacy directive. Organisations should have compliant practices by the end of March 2021 at the latest, while taking into account any operational difficulties.
Amongst other things, the amended guidelines contain the following:
• the purposes of the trackers
• the consequences of an acceptance or rejection of trackers
• the identity of all actors using trackers subject to consent
• trackers intended for authentication with a service
• those intended for storing the content of a shopping cart on a merchant’s site
• trackers intended to generate traffic statistics
• those allowing paid sites to limit free access
In the data-driven world of today, businesses can just about only make informed decisions based on real traffic numbers. For a long time, it was unclear if consent was required for these trackers, some organisations requiring consent on their website, while some do not. It is therefore especially interesting that the CNIL regards trackers intended to generate traffic statistics as being essential and not requiring consent, albeit the CNIL only has jurisdiction in France of course. It is therefore interesting to see if other national supervisors will follow the CNIL, which seems to become the supervisor to follow after Brexit will remove the UK’s ICO from the EU-wide EDPB.
Recommendations
In addition, the Recommendations include practical information and examples concerning:
Concerning the interface, the CNIL recommends that consent banners not only include an “accept all” button but also a “refuse all” button. It remains to be seen if this isn’t already required by requiring that refusing trackers should be as easy as accepting them, since the “accept all” button is generally included and marks the lowest effort for consent that needs to be matched.
The CNIL further suggests that websites, which generally retain the consent to trackers for a certain period of time, also keep their refusal for a certain period, so as not to question the user again each visit.
In addition, so that the user is fully aware of the scope of his consent, the CNIL recommends that, when trackers allow monitoring on sites other than the site visited, consent be collected on each of the sites monitored.
Resources (only in French)