Despite the aim of European data protection regulations (mainly GDPR and the e-Privacy Directive) to provide standardized privacy rules across the EU, there are still some major differences in the approach of the data protection authorities (DPAs) across Member States. This was recently illustrated by the French, Spanish, German and British DPAs issuing their respective updated guidelines relating to cookies and tracking devices. These guidelines were adopted in light of the strengthened consent requirements set out by the GDPR and the European Data Protection Board (EDPB) guidelines on consent, but differ in the interpretation of the rules laid out by the GDPR.
On June 28, 2019, France's DPA (CNIL) announced its plan of action for targeted online advertising for the year 2019-2020. In accordance with this plan, on July 4, the CNIL adopted new guidelines on cookies (Guidelines), repealing and replacing its guidelines of 2013. These Guidelines were supplemented, on January 14, 2020 by a new draft recommendation adopted after consultation with CNIL officials and stakeholders of the adtech ecosystem (Draft Recommendation).
The CNIL's plan of action: Guidelines and public consultation on the Draft Recommendation
The Guidelines underlined the requirements to obtain a freely given, specific, informed and unambiguous consent from users, while the Draft Recommendations aim at providing practical recommendations on how to implement the Guidelines and applicable regulation in practice. The Draft Recommendation remains subject to a public consultation until 25th February 2020 and could thus still be amended.
They key points of the Guidelines and the Draft Recommendation may be summarized as follows:
• On specific and informed consent: users should be informed of each purpose of the cookies and be able to consent independently for each purpose. Such information should be given prior to collecting consent, and should also include the identity of all data controllers and the right to withdraw consent. In the Draft Recommendation, the CNIL recommends a two layer approach: a first layer should briefly list applicable purposes and a second layer should supplement the first one by providing a more detailed description (a drop-down button or hyperlink could link both layers together). The second layer of information should include an exhaustive and up-to-date list of all data controllers. If this list is substantially supplemented, the consent of the user should be renewed. For insubstantial changes, making available an updated list via a permanent easily accessible link is sufficient. Users should also be informed of the extent to which the data controller may use the implemented cookies to follow their navigation on other sites or applications. For consent to be valid on other sites or application, the list of all such sites and applications must be made accessible to the users (possibly via a link on the first level of information).
• On unambiguous consent: contrary to the previous guidelines, merely continuing to browse a website or a mobile app or scrolling down the page of a site or a mobile app can no longer be considered valid consent. The Draft Recommendation advises that the consent and the refusal mechanisms be placed at the same level and presented in the same manner either via two buttons (e.g., "accept" / "refuse" etc.), two checkboxes (not pre-checked) or equivalents such as "on"/ "off" sliders that should be deactivated by default. Users can also be offered the possibility to delay that choice by clicking on the X button of the banner – in such case, consent is not given and no cookies subject to consent should be set.
• On proof of consent: pursuant to the Guidelines, organizations using trackers must implement mechanisms that allow them to demonstrate, at any time, that they have obtained valid consent. In order to do so, the controllers may (1) place the computer code it uses under escrow with a third party, (2) preserve a screenshot of the visual rendering of a mobile or desktop terminal for each version of the website or application, or (3) conduct regular audits of the system used in order to collect consent.
• On cookies that do not require consent: an extensive list of trackers that do not require consent is provided by the Draft Recommendation. It includes trackers: (1) retaining the expressed choice of the user on the tracker repository, (2) allowing the user to be authenticated by a service, (3) designed to store the contents of a shopping cart, (4) allowing users to customize the website's interface (e.g. language), (5) enabling the load balancing of equipment involved in a communication service, (6) allowing sites to limit free access to their content, and (7) allowing audience measurement (analytic cookies – under very specific conditions stated by Article 5 of the Guidelines).
• On retention period: where the previous guidelines allowed the retention of a cookie on a user's device for a maximum period of 13 months, the new Draft Recommendation states that consent must be renewed at appropriate intervals of time without waiting for the user to withdraw consent. The Draft Recommendation states that a 6 months interval period from the expression of the user's choice should be considered adequate.
A challenged transition period
The CNIL granted a transition period of 12 months following the publication of its new Guidelines, i.e. until July 2020, to allow organizations some time to modify their websites. During this transition period, continued browsing of a website or app as an expression of consent is still considered by the CNIL as acceptable. Nevertheless, the CNIL expressly stated that all obligations that have not been modified by the Guidelines could still be subject to corrective measures during such transition period.
The adoption of this transition period was challenged before the Conseil d'Etat (the French Administrative High Court) by two personal data protection associations, which considered it as an infringement to the provisions of the GDPR. However, on October 16, 2019, the Conseil d'Etat rejected their claim on the grounds of the broad discretion of the CNIL, in particular in exercising its power to impose sanctions, and the fact that this transition period ultimately contributes to the compliance of all sites using advertising cookies.
Comparison with cookies guidelines from other countries' DPAs
While the CNIL takes the view that some types of cookies do not always require consent from users, the Information Commissioner's Office (ICO) departs from that view and considers that no exceptions are available to the cookie consent rule. Moreover, while the CNIL allows for a transition period to comply with the new Draft Recommendation, the ICO's and the German DPAs guidelines have applied since their publication.
The Spanish DPA issued a recent recommendation that contradicts the CNIL's position, insofar as it indicated that users can grant their consent by continuing browsing a website after adequate notice has been given. Indeed, the Spanish DPA considers that if continued browsing is used as a means for achieving consent, a button should be included on the panel so as to refuse all cookies at once, in order to comply with the requirement according to which "it shall be as easy to withdraw as to give consent". The mere navigation to a different section of the website, the action of scrolling down or closing the first warning layer, or the action of clicking on any content of the service will be considered as valid consent. The Spanish DPA further contrasts with the CNIL's position insofar as the former considers that the validity of the consent given by a user for the use of a specific cookie shall not exceed 24 months.
While organizations are still waiting for the CNIL's final recommendation relating to the operational aspects of the collection of consent, these meaningful differences between DPAs' approaches make it complex for organizations to build a global compliance approach to cookies. This complexity is accentuated by the legal uncertainty arising from the impossibility for Member States to find a consensus on the ePrivacy Regulation proposal. The ePrivacy Regulation was supposed to introduce new rules about cookies, direct marketing, and business-to-business communications at the same time the GDPR was enacted, but failed to be adopted and will finally be sent back to the European Commission for a revised ePrivacy proposal to be drafted.