CNIL publishes revised guidelines on cookies and other tracking technology

CNIL cookie guidelines of 2013[1]

CNIL cookie guidelines of 2019[2]

Legal ground

Article 32-II of the French Data Protection Act

Article 82 of the amended French Data Protection Act

Scope

The Guidelines apply to HTTP cookies and other technologies that may be used for online tracking such as local shared objects also known as "flash cookies", invisible pixels or web bugs, device fingerprinting and hidden identifiers.

The term "cookie" is used generically to refer to any online tracking technology.

The Guidelines apply to HTTP cookies and other technologies that may be used for online tracking such as local shared objects also known as "flash cookies", local storage integrated within HTML 5, device fingerprinting and identifiers generated by operating systems (whether for advertising purposes or not: IDFA, IDFV, Android ID, etc.), device identifiers (MAC address, serial number or any other identifier of a device), etc.

The term "tracker" is used generically to refer to any online tracking technology.

Nature of the information that is accessed or stored on the user's device

It is not necessary for the information that is accessed or installed on the user's device to be personal data. Article 32-II of the Data Protection Act applies regardless of whether such information constitutes personal data.

The use of cookies will generally involve the processing of personal data, whether to identify directly (e.g. an email address) or more often to identify indirectly (e.g. unique cookie identifier, IP address, device identifier or component of the device, device fingerprinting, identifier generated by a software program or operating system) a user.

It is not necessary for the information that is accessed or installed on the user's device to be personal data. Article 82 of the Data Protection Act applies regardless of whether such information constitutes personal data.

Any use of trackers which involves the processing of personal data, whether to identify directly (e.g. an email address) or more often to identify indirectly (e.g. unique cookie identifier, IP address, device identifier or component of the device, device fingerprinting, identifier generated by a software program or operating system) a user must comply with the GDPR.

Types of technologies and devices concerned

The Guidelines apply to all cookies that are stored on the user's electronic device while navigating the Web, reading an email, installing or using software or a mobile application, regardless of the operating system on which the device is run, the type of web browser that is used or the type of electronic device (computer, laptop, smartphone phone or pad, connected TV, game console). 

The Guidelines apply to all types of frequently used electronic devices, such as desk computers, laptops, smartphones or pads, connected TVs, game consoles, connected vehicles, voice assistants, as well as any other object that is connected to an electronic communication network open to the public. 

These Guidelines apply regardless of the operating system, the software applications (such as web browsers) or terminal equipment that are used.

Types of cookies that require prior consent

The following cookies require prior consent:

- cookies used for targeted advertising;

- cookies used to measure the audience (unless the conditions set out below apply);

- social media cookies generated by share buttons.

Not specified.

Types of cookies that do not require prior consent

Consent is not required for cookies

- that are exclusively used to enable or facilitate electronic communications;

- that are strictly necessary to provide a service at the request of the user;

- audience measurement cookies on condition that such cookies are not merged with other types of information obtained, are used exclusively for statistical purposes and the user is informed and can object to their use.

Consent is not required for cookies

- that are exclusively used to enable or facilitate electronic communications;

- that are strictly necessary to provide a service at the request of the user.

The law also does not require organizations to enable users to opt-out from such types of trackers.

However, for the sake of transparency, organizations must inform users that they are using such types of trackers and their purposes in a privacy policy.

Valid consent of the user

Consent is defined as any "freely given, specific and informed indication of an individual's wishes" (article 2(h) of Directive 95/46/CE.

Consent is valid only if the data subject can express a choice without any negative consequences if he/she refuses to give consent. If the data subject refuses to give consent to the use of cookies, he/she must be able to continue benefiting from the service (e.g. access to a website).

In order for the user's consent to be valid, there must be a positive action of the user materializing his/her consent after receiving the information, which explains the consequences of his/her choice and how to express it.

Obtaining the user's acceptance of a website or mobile app's terms of use does not constitute valid consent for the use of cookies.

The users can withdraw their consent at any time and a user-friendly solution must be offered to them allowing them to withdraw their consent easily.

The users must be informed in an easy and intelligible manner about the solutions that are made available which allow them to accept or refuse all or some of the cookies.

Consent must be freely given, specific, informed and unambiguous. Consent must be expressed by means of a declaration or an affirmation action.

- freely given: consent may be freely given only if the user can express freely a choice and is not subject to any major inconveniences in the absence of consent, or if consent is withdrawn. In such context, cookie consent walls, which block access to a website or mobile app if the user does not give consent, do not comply with the GDPR.

- specific: users must be able to give consent autonomously and specifically for each purpose. Asking the user to give a general consent to all trackers is not acceptable. Obtaining the user's acceptance of a website or mobile app's terms of use does not constitute a specific consent for each purpose.

- informed: the notice must be drafted in simple and intelligible terms for all and must allow users to be informed about the different purposes for using trackers. The information provided must be comprehensive, visible and easily accessible at the time of obtaining consent. A simple cross-reference to the general terms of use is not sufficient.

Users must be informed about:

- the identity of the data controller(s);

- the purpose(s) of the use of trackers;

- the possibility to withdraw consent.

Informed consent also means that the user must be able to identify all the organizations involved in the use of trackers before giving consent. This list must be complete and kept up to date and must also be made directly available to the user when his/her consent is obtained.

- unambiguous: the user must give consent by means of a positive action after being informed of the consequences of his/her choice and the means to exercise it. Continuing to navigate a website or to use a mobile app does not constitute a positive action and thus does not constitute valid consent. The use of pre-ticked boxes, as well as the general acceptance of the terms of use of a website or mobile app, do not constitute valid consent. User-friendly and ergonomic solutions must be provided to users in order to obtain their valid consent.

Evidence of consent: organizations who use trackers must be able to show evidence that they have obtained valid consent. Where an organization is not obtaining consent itself, the use of a contractual clause by which another organization collects consent on its behalf is not in itself sufficient to constitute valid consent.

Withdrawal of consent: users must be able to withdraw consent at any time and in an easy manner. This means that user-friendly solutions must be provided to allow users to withdraw their consent.

Cookie banner

When navigating on a website, the user must have access to a cookie banner (either on the homepage or a deep link), which informs users about:

- the specific purposes of the cookies that are used;

- the possibility to object to the use of cookies and to modify the cookie settings that apply to cookies by clicking on a link that is available in the cookie banner;

- the fact that by continuing to navigate on the website, the user is giving his/her consent to the storage of cookies (implied consent).

To ensure that consent is obtained unambiguously, the cookie banner must be displayed continuously on the web page until the user either clicks on a different web page (e.g., by clicking on a hyperlink) or clicks on an image or a button that is available on the homepage.

As a consequence, unless the user gives prior consent, the use of cookies on a user's device is prohibited if the user:

- closes the web page without continuing to navigate on the website or in the absence of any material action (inaction does not constitute implied consent); or

- clicks immediately on the link in the banner which directs him/her to the cookie settings and deactivates all the cookies.

Not specified.

Web browser settings

Web browser settings may be used to obtain valid consent only if the user:

- has the possibility to choose the settings on the web browser in order to accept or refuse cookies; and

- has been informed before any cookies are used about their purposes and the means to deactivate them.

However, at present, web browsers only allow to control HTTP type cookies. Therefore, web browser settings cannot be considered as a valid means for obtaining consent for other types of tracking technology, such as invisible pixels, flash cookies or device fingerprinting.

At present, web browsers only allow to control HTTP type cookies. Despite the fact that web browsers offer settings that enable users to make choices about the types of cookies they accept, these settings do not provide enough information to users, and therefore, do not enable to obtain informed consent. Regardless of the means used, web browsers do not enable to distinguish cookies by purpose, which means that users cannot give specific consent. Lastly, web browser settings currently do not allow obtaining consent for other types of tracking technology, such as device fingerprinting. Nonetheless, web browsers may evolve and may integrate mechanisms that will allow obtaining valid consent in accordance with the GDPR.

Cookies for audience measurement cookies

Cookies used to measure audiences on a web site or mobile app may be exempt from consent if the following conditions are met:

- the user must be informed and must be able to object to the use of such cookies;

- the purpose of such cookies must be limited to measuring the audience that views a content in order to assess the content that is published or the ergonomics of a website or mobile app;

- the data collected must not be combined or merged with other types of data (e.g. client accounts or statistics about another website);

- the cookies may only be used for anonymous statistics;

- the cookies may only be used by one publisher of content and must not enable tracking a user over different websites or mobile apps;

- the IP address cannot be used to geolocate a user more precisely than the city. Such IP address must be deleted or anonymised once the user has been located to avoid this data from being used or combined with other data.

Cookies used to measure audiences on a web site or mobile app may be exempt from consent if the following conditions are met:

- such cookies must be put in place by the web publisher or his processor;

- the user must be informed and must be able to object to the use of such cookies on all devices, operating systems, applications and browsers;

- the purpose of such cookies must be limited to: (1) measuring the audience that views a content in order to assess the content that is published or the ergonomics of a website or mobile app, excluding any form of unique targeting of individuals; (2) clustering of website audiences to assess the efficiency of the web editing choices that are made; (3) enabling overall dynamic changes to be made to a website.

- the data collected must not be combined or merged with other types of data (e.g. client accounts or statistics about another website) nor disclosed to third parties;

- the use of trackers must be strictly limited to producing anonymous statistics;

- the trackers may only be used by one publisher of content and must not enable tracking a user over different websites or mobile apps;

- the IP address cannot be used to geolocate the user more precisely than the city. Such IP address must be deleted or anonymised once the user has been located to avoid this data from being used or combined with other data.

Responsibility of web publishers and cookie providers

Where several other intermediaries are involved in the use of cookies with a web publisher (e.g. an advertising agency, social networks, analytics providers, etc.), they must each be considered as joint controllers.  Indeed, web publishers must inform and obtain consent from its users, either alone or jointly with its partners. Where such partners determine the purposes (e.g. profiling, online behavioural advertising) and the means (e.g. the algorithm used) of the processing, they cannot be considered as processors acting on behalf of the publisher.

Where only one organization is involved in the use of trackers, that organization is fully responsible for providing notice and obtaining consent from the users (e.g. a publisher who uses cookies for his own statistical analysis).

In other cases, several parties may be involved in the user of trackers (e.g. a web publisher and an advertising agency). In such case, they may be considered as independent controllers, joint controllers, or data processors.  In all other cases, third parties who use trackers are fully and independently responsible for the trackers they use, which means that they must obtain consent directly from the users.

Where the parties determine jointly the purposes and means of the processing, they must enter into a joint controllership agreement in accordance with article 26 of the GDPR, including which party provides notice and obtains consent from the users.

Lastly, a data processor in this context is defined as an entity who installs information and/or has access to information stored on a  user's device exclusively on behalf of a data controller without re-using the data collected via the tracker for his own purposes.  In such case, the parties must enter into a data processing agreement in accordance with article 28 of the GDPR.

Period of retention of cookies

The Guidelines recommend a maximum of retention for cookies of thirteen (13) months. Once this period has expired, the user's consent must be renewed if the cookies continue to be actively used. A user's frequent use of a website does not constitute a valid renewal of the user's consent.

Trackers may be used for a maximum period of thirteen (13) months. Once this period has expired, the user's consent must be renewed if the cookies continue to be actively used. A user's frequent use of a website does not constitute a valid renewal of the user's consent.