When is consent needed ?
The CNIL’s guidance confirms that the reference to ‘cookies’ in the legislation must be given a broad interpretation to encompass all tracing technologies. The guidance also confirms that the legislation applies to all cookies stored or read, including whilst surfing on a website, reading an email or installing or using software or a mobile app, whatever the operating system, the navigation or the terminal used.
The guidance confirms that prior user consent is generally required for cookie use and in particular for:
- cookies related to targeted advertisements;
- tracing cookies created by social networks, such as sharing buttons; and
- certain audience measuring cookies (such as those for Google analytics).
The guidance clarifies that some cookies, however, are exempt from the obligation of prior consent, specifically:
- cookies that are strictly necessary for surfing or the provision of an online communication service expressly requested by the user (the guidance gives a list of examples); and
- certain audience measuring cookies, that comply with the CNIL specifications.
User consent must be freely given. That is, users must not be denied a right to use a service because they have not consented to cookie use.
How to obtain consent
The CNIL recommends a two -step approach to obtaining consent:
- Firstly: the website must have a banner on the home page that complies with the CNIL recommendations;
- Secondly: the user must be informed in a simple and intelligible way (on a dedicated page) of how they may consent or refuse to all or some of the cookies.
The information must be clear and set out full details about each type of cookie used on the site and the reasons why each cookie is used.
Who is affected?
The CNIL recommends that the validity period for the consent to the storing of cookies is thirteen months, at most. After this time, further consent must be sought. Therefore, all cookies must have a maximum life span of thirteen months after first installation.
All businesses using cookies must familiarise themselves with this new guidance and fine tune their arrangements on cookie use to ensure compliance with the guidance, or risk sanctions from the CNIL.