Updated and finalised CNIL's guidance on cookies
In early October, the CNIL published a new set of Guidelines on cookies and online trackers and the finalised version of practical Recommendations, adopted on 17 September 2020.
It took over a year for the CNIL to finalise its guidance, after several legal challenges initiated by the publishing and advertising industries and a public consultation. As a reminder, the CNIL initially issued guidelines on cookies in July 2019 to repeal its outdated guidelines of 2013. The latter were then completed by draft recommendations in January 2020. Yet, last June, the French highest administrative court struck down one provision of the guidelines relating to cookie walls, as it considered that the CNIL had abused its power to issue soft law.
While the new Guidelines are not binding, they aim at reiterating and clarifying the applicable law, and thus constitute the CNIL's current legal interpretation. The Recommendations are more practical and filled with non-prescriptive examples as well as best practices.
Unchanged key provisions
Some key provisions have remained unchanged. For example, the CNIL still considers that "bundled" consent is valid if granular consent is also offered. The CNIL provides the example of the use of "reject all" and "accept all" buttons within the Consent Management Platform (CMP), complemented by a third "personalise my choices" button that offers the possibility to granularly consent to specific cookie purposes within a second layer. The CNIL also recommends setting a fixed period for the validity of consent to or refusal of cookies, i.e. 6 months as a best practice, after which consent has to be renewed. Users still need to be provided with the exhaustive and updated list of data controllers/third parties setting cookies on the website, through a dedicated link.
The new Guidelines primarily draw the consequences from the French administrative court's ruling on cookie walls. Yet, a few changes go well beyond the Court's ruling.
Open door to cookie walls? The CNIL decided not to comment on the lawfulness of cookie walls, which should be assessed on a case-by-case basis. Instead, it very cautiously states that cookie walls "are likely to affect, under certain conditions, the 'freely given' dimension of consent". In any case, users need to be clearly informed about the consequences of their choices when facing a cookie wall.
Enhanced transparency within the CMP. The CNIL considers that for consent to be "informed", users should at least be made aware of:
• the identity of data (joint) controller(s) – the exhaustive list of controllers should be accessible,
• their right to withdraw consent,
• the cookie purposes –they should be concisely explained and a longer explanation must be accessible on the second layer,
• how to accept or reject cookies (e.g. refusal through closing or ignoring the CMP) and
• the consequences of refusal or consent.
Broad understanding of "refusal". The CNIL asserts that the absence of a clear affirmative action or "silence" on the part of users, such as further browsing, must be interpreted as refusal of cookies. This removes any ambiguity regarding the correct interpretation of users' inactivity. In any case, refusing must be as easy as consenting.
Conditions to exempt analytics cookies from consent requirement. The CNIL highlights that analytics cookies may be considered as 'strictly necessary', and hence exempted from the requirement to obtain consent, if:
• their purpose is strictly limited to audience measurement on the publisher's exclusive interest,
• they do not allow the tracking of users across websites/apps,
• they only produce anonymous statistical data and,
• the collected personal data is not combined with other processing or transmitted to third parties.
Interestingly, the CNIL specified that under this exemption, providers of analytics cookie must be contractually prohibited from re-using the cookie data for their own purposes – which de facto excludes many of the analytics cookies that are currently offered on the market.
Strict obligations for website publishers. According to the CNIL, website publishers are responsible for ensuring that the third-party cookies set by their partners on their website comply with applicable provisions – even when the latter act as data controllers. Website publishers should take all 'necessary steps' to put an end to the breaches to applicable provisions undertaken by their partners.
The enforcement clock is ticking
The CNIL has identified compliance with cookie requirements as one of its three enforcement priorities for 2020/2021. A six-month grace period has now started with the adoption of the new guidance. Concretely, companies now have until the end of March 2021 to comply with the Guidelines. We note however that many provisions have not changed since the CNIL's 2013 guidelines, and therefore, they are immediately enforceable. This applies for example to the requirements whereby cookies may only be set following users' consent and that the mechanism for withdrawing consent must be easy to access and use. It can reasonably be expected that the CNIL will start proactively enforcing these Guidelines next year, given the fact that there have already been complaints and some investigations have already begun (see our previous blog).
A fragmented approach throughout the EU?
At a national level, we note that several data protection authorities have adopted their own guidance and the general position on cookie compliance has evolved in most countries following the entry into force of the GDPR, and recent case law by the Court of Justice of the EU.
However, we regret that there is no pan-European approach on the topic of cookies, despite the European Data Protection Board (EDPB) recently updating its guidelines on consent. In particular, it would have been helpful if the EDPB had addressed in more detail the issue of cookies and online targeting in its recent guidelines on the targeting of social media users.
If you have any questions or would like any further guidance on this subject matter, please do not hesitate to reach out to Olivier Proust and Sixtine Crouzet
Sign up to our email digest
Click to subscribe or manage your email preferences.