The Information Commissioner’s Office or the “ICO” is the British supervisory authority charged with enforcing GDPR. The Commission Nationale de l’informatique et des libertes (the “CNIL”) is the French supervisory authority. Both authorities have published guidance on the use of cookies under GDPR and the ePrivacy Directive recently—specifically, the ICO published its guidance on July 3 and the CNIL published its final guidance on July 18 of this year.1 Although each guidance interprets essentially the same regulatory framework, there are meaningful differences between them. Below is a brief summary of some of the most noteworthy divergences:

  • Enforcement: Perhaps the most noteworthy difference is the “grace period” put in place by the CNIL. While the ICO’s guidance is effective and enforceable immediately, the CNIL has stated that companies are expected to comply within six months “after the publication of the future recommendation.” This “future recommendation” has yet to be published.2
  • Analytic Cookies: The ICO has taken the position that analytics cookies must always be “consented”—that is, such cookies cannot be deployed unless and until a data subject has opted-in to their use. The CNIL has adopted a more a nuanced position, and has laid out specific requirements for permissible use of analytic cookies even where the data subject does not consent, subject to certain conditions.
  • Cookie Walls: Cookie walls have now been the subject of guidance from three separate supervisory authorities. Dutch authorities previously indicated that so-called “cookie walls,” which prevent engagement of full engagement with a site unless all cookies are accepted, were not compliant. The CNIL has agreed, indicating that cookie walls that cause data subjects to suffer adverse consequences are not compliant. The ICO’s guidance in this regard was somewhat more equivocal, stating that a wall is “unlikely to be valid” but suggesting that a balancing test may be possible.3
  • Duration of Cookies Following Acceptance: The CNIL has identified specific periods of time by which certain cookies must be “re-consented” or deleted. The ICO has stated that the lifespan of cookies must be “proportionate in relation to your intended outcome; and limited to what is necessary to achieve your purpose.”4