The French data protection authority (the CNIL) has updated its guidance on local cookie consent requirements and has, in particular (i) suggested that analytics cookies might be exempt from the
The French data protection authority (the CNIL) has updated its guidance on local cookie consent requirements and has, in particular (i) suggested that analytics cookies might be exempt from the consent requirement, subject to certain conditions, and (ii) advised on possible means to obtain consent from Internet users in a way which complies with the law.
Use of analytics cookies without consent
The CNIL considers that because of the specific purpose of these cookies and the "very limited risk to privacy posed by this type of processing", it is not necessary to obtain prior consent from internet users.
However, the CNIL sets certain conditions that must be met in order to benefit from the exception, including (i) the provision of information (clear, complete and accessible from the site home page), (ii) the right of access, (iii) the right to refuse analytics cookies, (iv) purpose limitation (measuring website page traffic and producing anonymous statistics only), (v) restrictions on IP address use (geolocalization cannot be more specific than determining the city) and (vi) length of data retention (maximum six months).
It should be noted that the CNIL mentions that this new position might change in the very near future depending on an opinion soon to be adopted by the Article 29 Working Party.
High threshold to obtain a valid consent
The CNIL has not fundamentally changed its opinion that express means must be used to obtain consent from internet users. It reaffirmed that the (non-exhaustive) mechanisms it considers compliant are consent banners on the top of a webpage, consent requests overlaid on the page and tick boxes while subscribing to a service online.
One useful aspect of the CNIL's updated guidance is that it gives specific examples of the types of consent wording it expects. It insists that the information given to end users must include the specific purpose of the cookie. As such, the CNIL says that if the purpose of the cookie is to "create user profiles in order to send targeted advertising", the information must include all of these words and not just the word "advertising".
The CNIL's guidance provides the two following examples of consent language that it considers to be valid:
"Do you accept a cookie from our partners PUBIX and ADVIX in order to analyze your interests for the purpose of delivering personalized advertising to you?
[ ] I accept [ ] I refuse
More information here."
"By ticking this box, I agree to receive cookies from my-social-network.com during my visit to partnering Internet sites in order to identify me when I wish to share my favourite content with my friends.
To learn more."
Finally, the CNIL also provides an interesting clarification, pointing out that simply mentioning cookies in the Terms of Use does not constitute an "acceptable" means of obtaining consent.
Use of analytics cookies without consent
The CNIL considers that because of the specific purpose of these cookies and the "very limited risk to privacy posed by this type of processing", it is not necessary to obtain prior consent from internet users.
However, the CNIL sets certain conditions that must be met in order to benefit from the exception, including (i) the provision of information (clear, complete and accessible from the site home page), (ii) the right of access, (iii) the right to refuse analytics cookies, (iv) purpose limitation (measuring website page traffic and producing anonymous statistics only), (v) restrictions on IP address use (geolocalization cannot be more specific than determining the city) and (vi) length of data retention (maximum six months).
It should be noted that the CNIL mentions that this new position might change in the very near future depending on an opinion soon to be adopted by the Article 29 Working Party.
High threshold to obtain a valid consent
The CNIL has not fundamentally changed its opinion that express means must be used to obtain consent from internet users. It reaffirmed that the (non-exhaustive) mechanisms it considers compliant are consent banners on the top of a webpage, consent requests overlaid on the page and tick boxes while subscribing to a service online.
One useful aspect of the CNIL's updated guidance is that it gives specific examples of the types of consent wording it expects. It insists that the information given to end users must include the specific purpose of the cookie. As such, the CNIL says that if the purpose of the cookie is to "create user profiles in order to send targeted advertising", the information must include all of these words and not just the word "advertising".
The CNIL's guidance provides the two following examples of consent language that it considers to be valid:
"Do you accept a cookie from our partners PUBIX and ADVIX in order to analyze your interests for the purpose of delivering personalized advertising to you?
[ ] I accept [ ] I refuse
More information here."
"By ticking this box, I agree to receive cookies from my-social-network.com during my visit to partnering Internet sites in order to identify me when I wish to share my favourite content with my friends.
To learn more."
Finally, the CNIL also provides an interesting clarification, pointing out that simply mentioning cookies in the Terms of Use does not constitute an "acceptable" means of obtaining consent.