Currently, the tracking of internet users across sites and devices heavily relies on “third party cookies”, i.e., cookies placed from third-party domains that are called upon by the different websites or apps visited by the internet users. However, the future of third-party cookies is becoming more and more uncertain, notably considering that the main web browsers – Google Chrome, Mozilla Firefox and Apple Safari – have all started to block third-party cookies by default or have announced their plan to do so in the future. On the other hand, the end of third-party cookies does not mean the end of cross site and device tracking, as various substitute technologies exist or are being developed. In a communication published by the CNIL on 13 October 2021, the French Data Protection Authority presents these different technologies and gives its view on the data protection and e-privacy rules that apply to them.

In this communication, the CNIL describes five main technologies that, together, may eventually replace third-party cookies: 

  1. Fingerprinting: This technology allows to uniquely identify a user on a website or mobile application by using the technical characteristics of his/her device and browser. 
  2. CNAME cloaking: This technology relies on subdomain delegation and allows actors who set third-party cookies to evade browser blocking by using data from internal cookies. 
  3. Single Sign-On: With single sign-on (SSO), users can simply and quickly connect to a large number of sites, applications or services through a single user account and a single authentication. It can be used to give the provider of the SSO, as well as the group of sites or services that rely on the same SSO a global and consolidated vision of the user’s navigation.
  4. Unique Identifier: Other unique identifiers than cookie IDs can be created, notably from the email address or another identifier used by a same person to connect to various services. A same user can therefore be linked to these various services based on this unique identifier. 
  5. Cohort-based ad targeting: This technology avoids targeting at the individual level by creating a group of individuals with similar characteristics (center of interests, etc.), which will be identified by a unique and persistent identifier shared by all the users of the same cohort and managed at the level of the browser or the operating system. Apple and Google - through its Privacy Sandbox - are currently promoting this solution.

It is worth noting that all these technologies are not new and have been in existence for some time. However, they have not been used as extensively as third-party cookies to track users across sites and devices. 

From a legal standpoint, the CNIL notes that these technologies rely on the storage of and access to information in the terminals of internet users – to the exception of the Single Sign-On technology which the CNIL seems to have overlooked in its analysis. For example, fingerprinting implies accessing to the terminals’ settings and characteristics and cohort-based ad targeting still requires storing an identifier – although not unique – in the terminals of users in the same cohort. 

The CNIL considers that the e-Privacy rules that apply to the use of cookies also apply to the use of these technologies. In particular, the CNIL concludes that users must be able to consent freely and in an informed manner to be tracked – through these technologies – for advertising purpose, and, in the alternative, must be able to refuse such tracking. The guidelines and recommendation of the CNIL on “cookies and other tracers” therefore also apply to the use of these techniques.

This conclusion is consistent with the CNIL’s past positions on cookies and other tracking technologies. Indeed, the authority always made clear that the law, as well as its guidelines and practical recommendations, were not limited to the use of “cookies” in the strict sense, even if this word is often used to designate all technologies that rely on the storage of and access to information in the terminals of internet users.

This communication clearly suggests that the CNIL will not be more permissive in its approach to these alternative tracking technologies.