The French data protection authority (the “CNIL”) published for public comments its draft of practical recommendations on how organizations should obtain the consent of data subjects for processing their information through cookies.

The draft contains practical examples for websites and apps owners and operators on the proper procedures for obtaining data subject consent to cookies. These include presenting the information in a layered format and notifying the individual of any third party who may be involved in the processing. The CNIL says that the full information about the third parties can be provided in a secondary layer of the user interface, but that data subjects should be notified of the involvement of third parties at the initial layer of the notice presented to them.

The CNIL also states that consent should be explicit and active. The data subject shall be able to granularly consent to or decline cookies for particular purposes. Having merely general consent or refusal to all cookies and purposes does not suffice. In addition, the interface for managing consent must be available at all times throughout the user’s session on the website, to allow the data subject to withdraw a previously given consent.

CLICK HERE for the CNIL cookie consent recommendations (in French).