On 19 July the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020).

The new guidelines confirm that continuing to browse a website after its cookie banner is displayed will no longer be considered to be valid consent for cookie use in France. Operators that use cookies and trackers will have to be able to prove that they have obtained explicit consent from the user. Enforcement of the guidelines will, however, be delayed for around a year (see the Grace Period provision below).

The Scope of the Guidelines

The new guidelines apply to all types of operations involving cookies and trackers on any type of device, including smartphones, computers, connected vehicles and any other object connected to a telecommunications network open to the public.

Giving Consent – no more soft opt in

The guidelines clarify that cookies and trackers cannot be used until the user has expressed his or her freely given, specific, informed and unambiguous consent. In order to be validly obtained, consent must fulfil the following conditions:

  • Freely Given: The user should not suffer any major inconvenience if they refuse to give or withdraw their consent. The practice of blocking access to a website or a mobile application unless consent is provided does not comply with the GDPR.
  • Specific: The user must give his or her consent specifically for each distinct purpose. Blanket acceptance of general terms and conditions of use does not constitute valid consent.
  • Informed: Information provided to users must be clearly and simply written, enabling users to be fully informed about the different purposes of the cookies and/or trackers used. The information must be complete and conspicuously visible at the time of obtaining consent. If information is necessary for informed decision-making, it should not only be provided in terms and conditions.
  • Unambiguous: Consent should require a positive action to opt in. Merely continuing to browse a website, use a mobile application or scroll down the page of a website or a mobile application can no longer be considered as valid consent. Similarly, the use of pre-checked boxes and/or the blanket acceptance of terms and conditions cannot be considered valid consent.
  • Auditable: All organizations that use cookies and trackers must implement appropriate mechanisms that allow them to demonstrate, at all times, that they have validly obtained consent from users.
  • Revocable: Users should be able to withdraw their consent at any time. User-friendly solutions must therefore be implemented to allow users to withdraw their consent as easily as they have given it.

Operators’ Roles and Responsibilities

An operator using cookies and trackers is considered to be a controller and is therefore fully responsible for obtaining valid consent. Third parties using cookies and trackers are independently responsible for obtaining valid consent.

Where the use of cookies and trackers involve several operators, those operators can either be considered separate controllers, joint controllers or processors. An operator is considered a joint controller when it jointly, along with one or more other operator(s) (also acting as controller(s)), determines the purposes and means of processing. Under Article 26 GDPR, joint controllers are required to establish their respective compliance obligations in a transparent manner and to enter into an arrangement (a contract) about it. The CNIL’s new guidelines specifically refer to Article 26, and state that this requirement applies, in particular, to the collection and demonstration of valid consent. An operator is considered a processor when it uses cookies and trackers exclusively on behalf of the controller and does not use the collected data for its own purposes.

Exemptions

The guidelines do not require prior consent:

  • when a publisher of a website or an application uses cookies and/or trackers to measure traffic or test different versions of the site or application;
  • when cookies or trackers are used exclusively to facilitate communication by electronic means; or
  • when the use of cookies or trackers is strictly necessary to provide an electronic communication service specifically requested by the user.

Users must, however, still be informed about the existence of such cookies or trackers and their purpose.

Grace Period

Operators have six months from the publication of the CNIL’s final guidelines, (expected at the beginning of next year) to comply with the new rules. Notwithstanding this grace period, however, the CNIL will continue to monitor and enforce compliance with existing and unchanged data protection rules.