CNIL: New Guidelines on Cookies

In October 2020, the CNIL published a revised version of its guidelines on cookies and similar technologies with regards to obtaining consent to use cookies or other similar technologies on users’ devices. The updated guidelines now reflect the guidelines released by the European Data Protection Board in May 2020.

The CNIL, Commission Nationale Informatique & Libertés, is the French Data Protection Agency that operates in accordance with the French Data Protection Act, 1978 and its Amendment of June 2018. The French legislation aligns with GDPR but also provides specific provisions based on GDPR’s clauses permitting EU member states to enact national legislation. 

CNIL has power to enforce all the data protection laws in France, which means they enforce:

• French Data Protection Act
• GDPR
• ePrivacy Directive

CNIL published data protection guidelines in order to clarify the subject matter and help businesses comply easily. The cookie guidelines are one of the documents.

In light of the strengthened GDPR requirements, the CNIL published guidelines on cookies and similar technologies in  2019. The guidelines banned the use of cookie walls in France which led to several industry associations to challenge the ban. 

In June 2020 French Council of State (the Conseil d’Etat) issued a decision partially revoking the guidelines. The Council annulled the provision in the Guidelines related to imposing an absolute ban on cookie walls. Cookie walls are pop-ups that prevent users from accessing a site or mobile app unless the user gives consent to the use of cookies.

Due to this annulment, CNIL decided to publish a revised version of the guidelines in October 2020. CNIL also announced that data controllers have to comply with new guidelines in six months i.e. by the end of March 2021. 

The territorial scope of CNIL enforcement relates to cookies that have been placed on the devices of users residing in France or French territories. Essentially, it applies to organizations:

• Based in France and French territories overseas
• That collects and/or processes personal data of citizens and residents of France and French territories overseas

The guidelines and the recommendation concern both private and public organizations that are subject to the obligations of the French Data Protection Act.

Yes, cookies and trackers do not always require consent. CNIL allows the use of cookies under certain provisions. If cookies are strictly necessary or essential to the functioning of your website or app, you can use them. If your business wants to use cookies that are non-essential then you must obtain the user’s consent to do so. 

Non-essential cookies store information or gain access to information stored in a user’s device. They include cookies that analyze user behaviour on a website (analytical cookies), cookies relating to personalized advertising (advertising cookies) and social media cookies, in particular, cookies generated by share buttons.

Cookie compliance and consent is fundamental to CNIL’s latest approach to data privacy. Under CNIL guidelines, consent must comply with Article 82 of the French Data Protection Act and Article 4 of the GDPR. 

• Consent is freely given. The user should have a free choice in accepting or refusing to give consent. CNIL will keep a check on whether users face any prejudice on the use of a website in case they refuse the use of cookies.

• Consent is specific. In order to ensure that users have a real choice to consent, websites should ask consent for each purpose independently and specifically.  

• The consent is informed. Before collecting user’s consent, ensure that the information is provided in simple terms and must inform the users about: 
  • Identity of the data controller(s)
  • Purpose of the cookies collected
  • Means to accept or refuse cookies
  • Consequences of refusing or accepting cookies
  • Right to withdraw consent

• Consent is unambiguous. Allow users to give consent through an affirmative action, after they are informed about the consequences of their choice. Pre-ticked boxes are not considered an affirmative act to give consent.

CNIL has adopted two documents, the  ‘guidelines’ and ‘recommendations’.

The CNIL recommendations provide practical examples to illustrate the principles that are provided in the guidelines. Unlike the CNIL guidelines, the recommendations are non-binding and only provide for a set of best practices. 

The updated guidelines on cookies and consent will mark “a turning point both for the online advertising sector and the internet users”. The major cookie and consent revisions are:

Obtain user consent

Browsing or scrolling a site by disregarding the cookie banner is no longer considered valid consent. Users must give explicit consent, for instance by clicking on ‘I accept’ or ticking a checkbox on a cookie banner. If they do not do so, only necessary cookies and trackers can be placed by the website. 

Provide option to refuse cookies

Similar to providing a clear mechanism to accept cookies, refusing cookies should also be as easy.

Provide option to withdraw consent

Users must have an easy option to withdraw their consent to cookies at any time.

Inform users about the purpose of cookies

Websites should inform users about the purpose of tracking cookies before they give consent. This information should also include the identity and roles and responsibilities of any actors (data controllers, processors, third parties) involved.

Demonstrate proof of consent

Businesses who obtain consent to use cookies, must at any time be able to provide the proof for each user consent. They should also be able to show that the consent obtained is free, informed, specific and unambiguous.

Exemptions

CNIL exempts certain cookies from consent requirements, such as:  

• Cookies intended for authentication with a service
• Shopping cart information cookies
• Cookies that generate traffic statistics 
• Cookies that limit free access to paid websites 
• Audience measurement cookies and trackers
• Customization trackers on the user’s interface
• Trackers allowing load-balancing of equipment
• Cookies that store the choice expressed by users on cookie usage

Take a look at this infographic for a bird’s-eye view of the CNIL cookie consent guidelines.

The new CNIL guidelines do not prohibit the use of cookie walls. After the French Council of State repealed the cookie wall ban stated in the 2019 guidelines, the updated version does not place a ban on them.

CNIL will now assess the potential lawfulness of cookie walls on a case-by-case basis. Users should be clearly informed of the consequences of their cookie consent choices, and that they will be unable to access the website without consent. Businesses can currently go ahead with using cookie walls on their websites but need to proceed with precaution. 

CNIL states that the publisher of a website or app should be qualified as the data controller and must ensure that it retains control of cookies deposited by third parties. If the third parties “act on their own behalf” they will be qualified as data controllers.

If third parties intervene to place cookies, the website owner or publisher is responsible to make sure that third parties comply with regulations and must take all necessary steps to end any potential breaches.

CNIL recommends a set of best practices to help the professionals concerned with CNIL cookie compliance.

• For cookies which track users across multiple sites, consent should be collected at each individual site, wherever tracking happens. This will ensure that users are fully aware of the consequences of giving consent. 

• The option to refuse cookies must have the same simplicity as giving consent. Both the guidelines and recommendations emphasise it should be easy to accept and refuse cookies. For instance, if there the consent banner has an option to ‘Accept All’ whereby users can accept all cookies in one click, there must also be a ‘Reject All’ option in equal prominence.

• The purposes of cookies and their usage and application should be indicated by a title and a brief description.

• Websites should store cookie consent information (both acceptance and refusal) for a certain period of time. This way, websites can avoid asking for consent again at every visit for a stipulated time period.

• Make the consent preference dashboard easily accessible and clearly in sight. It should be designed in such a way that it is clear when a user withdraws consent, e.g. through the use of toggles.

• Websites cannot just link browser settings for refusal of cookies. Provide users with an ‘I refuse’ button in the cookie banner itself.

• Website owners can store the data collected by cookies exempt from consent requirements up to 25 months.

Violating the CNIL guidelines could attract heavy penalties as directed in GDPR, ePrivacy Directive and the French Data Protection Act. There are two levels of fines under GDPR. For infringements under Article 83(4), the maximum fine is £10 million or 2% of annual global turnover. While infringements under Article 83(5) can get a maximum fine of €20 million or 4% of annual global turnover. 

In December 2020 CNIL fined Google and Amazon a total amount of €135M for placing non-essential tracking cookies without user consent or notification. The basis and extent of CNIL penalties will rely on the scope of alleged breach, the size and scale of its impact, and if an organization derives profit from the alleged breach.

CNIL announced all entities must comply with the 2020 guidelines, ePrivacy Directive and GDPR within six months of its publication, i.e. by March 31, 2021. However CNIL will consider operational difficulties due to the pandemic and will prioritize compliance rather than enforcement options.

• Ensure compliance with previous CNIL and GDPR guidelines
• Identify types of cookies that require prior consent 
• Assess if the non-essential cookies follow the 2020 guidelines
• Review and update your privacy and cookie policy
• Inform users about the updated policies
• Block cookies before you get consent
• Offer an easy way for your user to accept as well decline cookies
• Provide an easy way for change or withdraw consent at any point
• Document and store users’ cookie consent information

You can check all the cookies on your website for free here.

CookieYes offers you a cookie consent solution with cookie banners to privacy policies to automatic script blocking, all under one roof! You can achieve CNIL cookie compliance and GDPR compliance all in one place.

The features you get on CookieYes:

• Cookie banner with full customization in over 24 languages
• Automatic scanner to know all the types of cookies used 
• Granular control feature to selectively enable or disable cookies 
• Automatic cookie blocking prior to getting consent
• Custom privacy policy generator
• Dashboard with overview of cookies, consent and compliance
• Record and log of user consent and their cookie preferences

  Sign up for free today!