What is CNIL?
The CNIL, Commission Nationale Informatique & Libertés, is the French Data Protection Agency that operates in accordance with the French Data Protection Act, 1978 and its Amendment of June 2018. The French legislation aligns with GDPR, but also provides specific provisions based on GDPR’s clauses permitting EU member states to enact national legislations.
CNIL has power to enforce all the data protection laws in France, which means they enforce:
- French Data Protection Act
- ePrivacy Directive
CNIL published data protection guidelines in order to clarify the subject matter and help businesses comply easily. The cookie guidelines are one of the documents.
Why did CNIL issue new guidelines?
In light of the strengthened GDPR requirements, the CNIL published guidelines on cookies and similar technologies in 2019. The guidelines banned the use of cookie walls in France which led to several industry associations to challenge the ban.
Due to this annulment CNIL decided to publish a revised version of the guidelines in October, 2020. CNIL also announced that data controllers have to comply with new guidelines in six months i.e. by the end of March 2021.
Who does CNIL guidelines apply to?
The territorial scope of CNIL enforcement relates to cookies that have been placed on the devices of users residing in France or French territories. Essentially, it applies to organizations:
- Based in France and French territories overseas
- That collects and/or processes personal data of citizens and residents of France and French territories overseas
The guidelines and the recommendation concern both private and public organizations who are subject to the obligations of the French Data Protection Act.
Non-essential cookies store information or gain access to information stored in a user’s device. They include cookies that analyze user behaviour on a website (analytical cookies), cookies relating to personalized advertising (advertising cookies) and social media cookies, in particular, cookies generated by share buttons.
How do I collect consent under CNIL guidelines?
Cookie compliance and consent is fundamental to CNIL’s latest approach to data privacy. Under CNIL guidelines, consent must comply with Article 82 of the French Data Protection Act and Article 4 of the GDPR.
- Consent is specific. In order to ensure that users have a real choice to consent, websites should ask consent for each purpose independently and specifically.
- The consent is informed. Before collecting user’s consent, ensure that the information is provided in simple terms and must inform the users about:
- Identity of the data controller(s)
- Purpose of the cookies collected
- Consequences of refusing or accepting cookies
- Right to withdraw consent
- Consent is unambiguous. Allow users to give consent through an affirmative action, after they are informed about the consequences of their choice. Pre-ticked boxes are not considered an affirmative act to give consent.
What are the new CNIL guidelines on cookies?
The CNIL recommendations provide practical examples to illustrate the principles that are provided in the guidelines. Unlike the CNIL guidelines, the recommendations are non-binding and only provide for a set of best practices.
The updated guidelines on cookies and consent will mark “a turning point both for the online advertising sector and the internet users”. The major cookie and consent revisions are:
Obtain user consent
Browsing or scrolling a site by disregarding the cookie banner is no longer considered as valid consent. Users must give explicit consent, for instance by clicking on ‘I accept’ or ticking a checkbox on a cookie banner. If they do not do so, only necessary cookies and trackers can be placed by the website.
Similar to providing a clear mechanism to accept cookies, refusing cookies should also be as easy.
Provide option to withdraw consent
Users must have an easy option to withdraw their consent to cookies at any time.
Inform users about the purpose of cookies
Websites should inform users about the purpose of tracking cookies before they give consent. This information should also include the identity and roles and responsibilities of any actors (data controllers, processors, third-parties) involved.
Demonstrate proof of consent
CNIL exempts certain cookies from consent requirements, such as:
- Cookies intended for authentication with a service
- Shopping cart information cookies
- Cookies that generate traffic statistics
- Cookies that limit free access to paid websites
- Audience measurement cookies and trackers
- Customization trackers on the user's interface
- Trackers allowing load-balancing of equipment
- Cookies that store the choice expressed by users on cookie usage
Take a look at this infographic for a bird's-eye view of the CNIL cookie consent guidelines.
Does the new CNIL guidelines allow cookie walls?
The new CNIL guidelines do not prohibit the use of cookie walls. After the French Council of State repealed the cookie wall ban stated in the 2019 guidelines, the updated version does not place a ban on them.
CNIL will now assess the potential lawfulness of cookie walls on a case-by-case basis. Users should be clearly informed of the consequences of their cookie consent choices, and that they will be unable to access the website without consent. Businesses can currently go ahead with using cookie walls on their websites, but need to proceed with precaution.
What does CNIL say about third party cookies?
CNIL states that the publisher of a website or app should be qualified as the data controller and must ensure that it retains control of cookies deposited by third parties. If the third parties "act on their own behalf” they will be qualified as data controllers.
If third parties intervene to place cookies, the website owner or publisher is responsible to make sure that third parties comply with regulations and must take all necessary steps to end any potential breaches.
What are the CNIL recommendations on cookies?
CNIL recommends a set of best practices to help the professionals concerned with CNIL cookie compliance.
- For cookies which track users across multiple sites, consent should be collected at each individual site, wherever tracking happens. This will ensure that users are fully aware of the consequences of giving consent.
- The purposes of cookies and their usage and application should be indicated by a title and a brief description.
- Websites should store cookie consent information (both acceptance and refusal) for a certain period of time. This way, websites can avoid asking for consent again at every visit for a stipulated time period.
- Make the consent preference dashboard easily accessible and clearly in sight. It should be designed in such a way that it is clear when a user withdraws consent, e.g. through the use of toggles.
- Websites cannot just link browser settings for refusal of cookies. Provide users with an ‘I refuse’ button in the cookie banner itself.
- Website owners can store the data collected by cookies exempt from consent requirements up to 25 months.
What are the penalties for non-compliance?
Violating the CNIL guidelines could attract heavy penalties as directed in GDPR, ePrivacy Directive and the French Data Protection Act. There are two levels of fines under GDPR. For infringements under Article 83(4), the maximum fine is £10 million or 2% of annual global turnover. While infringements under Article 83(5) can get a maximum fine of €20 million or 4% of annual global turnover.
In December 2020 CNIL fined Google and Amazon a total amount of €135M for placing non-essential tracking cookies without user consent or notification. The basis and extent of CNIL penalties will rely on the scope of alleged breach, the size and scale of its impact, and if an organization derives profit from the alleged breach.
How to comply with new CNIL guidelines?
CNIL announced all entities must comply with the 2020 guidelines, ePrivacy Directive and GDPR within six months of its publication, i.e. by March 31, 2021. However CNIL will consider operational difficulties due to the pandemic and will prioritize compliance rather than enforcement options.
- Ensure compliance with previous CNIL and GDPR guidelines
- Identify types of cookies that require prior consent
- Assess if the non-essential cookies follow the 2020 guidelines
- Inform users about the updated policies
- Block cookies before you get consent
- Offer an easy way for your user to accept as well decline cookies
- Provide an easy way for change or withdraw consent at any point
- Document and store users’ cookie consent information
You can check all the cookies on your website for free here.
How can CookieYes help you comply with CNIL guidelines?
CookieYes offers you a cookie consent solution with cookie banners to privacy policies to automatic script blocking, all under one roof! You can achieve CNIL cookie compliance and GDPR compliance all in one place.
The features you get on CookieYes:
- Cookie banner with full customization in over 24 languages
- Automatic scanner to know all the types of cookies used
- Granular control feature to selectively enable or disable cookies
- Automatic cookie blocking prior to getting consent
- Dashboard with overview of cookies, consent and compliance
- Record and log of user consent and their cookie preferences
Sign up for free today!