The cookie saga continues: CNIL publishes draft guidance on consent to cookies

A (non-binding) guidance tool

On 14 January 2020, the French Data Protection Authority (CNIL) published a draft version of practical recommendations on how to obtain consent to cookies ("the Guidance"). This Guidance is now open for public consultation for the next six weeks.

The Guidance constitutes the second phase of the CNIL's twofold work programme in the adtech sector (see our post here). The CNIL already published revised guidelines on cookies in July 2019, which repealed its outdated 2013 guidelines (see our detailed comparison here). Since then, the CNIL has held monthly stakeholder meetings to brainstorm consent–and here's the outcome:

Scope

The Guidance is intended to complement the Guidelines for the cookies or other tracking technologies that require consent.

Exempted cookies. As a reminder, the ePrivacy Directive only exempts two categories of cookies from such consent requirements: namely, cookies which are strictly necessary to the provision of an online communication service expressly requested by users or whose exclusive purpose is to enable or facilitate communication by electronic means. The CNIL gives useful examples of exempted cookies, for example, cookies used to record the consent to or refusal of non-exempted cookies, cookies intended for authentication to a service, shopping cart cookies and cookies allowing pay-per-use websites to limit free access to their content. The CNIL also lists cookies used for user interface customisation (e.g. for the choice of language or presentation of a service), where such customisation is "an intrinsic element expected by the user of the service".

Consent obtained by whom? The 2019 Guidelines do not clearly identify the entity that is ultimately in charge of collecting user consent and informing users. According to the Guidance, app and website publishers should ensure that valid consent is collected. Given their direct contact with users and the control they exercise over the consent management interface, they are –in most cases - best suited to inform users and to obtain their consent.

However, the CNIL does not rule on the legal qualification of other involved entities. Rather, it states that the qualification of data controllers can apply to both publishers and third parties. Concretely, publishers may act as controllers when setting first-party cookies or allowing data processors to place third-party cookies in accordance with their instructions. Third parties can also act as controllers when setting cookies for a purpose they determine themselves –e.g. third parties offering data enrichment services through cookies set on various publishers' websites. Surprisingly, the CNIL does not explicitly mention joint controllership, despite the recent rulings delivered by the Court of Justice of the EU (see our analysis here).

Consent dissected through a magnifying glass

The CNIL analyses the different elements of consent: informed, free, specific and unambiguous. It builds on the short article 2 of the Guidelines to set out practical recommendations illustrated by examples. It also provides best practices that go beyond legal provisions.

1. Informed consent: cookie purposes, identity of data controller(s) and scope of consent

The CNIL explains that cookie consent mechanisms can be based on a two-layered approach. The first layer is the consent management interface itself. The second layer can take the form of a separate page that may be accessed by means of a hyperlink or a scroll-down menu integrated within the first layer.

Purposes. The list of cookie purposes needs to appear within the first layer of information that is provided to the user. Each purpose should be highlighted in a short and prominent heading, followed by a brief description (e.g. "Personalized advertising: [name of site/app] [and third party companies/our partners] use trackers to display ads that are tailored to your browsing and profile"). Other wording examples include "location-based advertising", "content customisation" and "social media sharing". The second layer should then include a more extensive description of the relevant purposes.

The identity of data controller(s). The CNIL recommends providing the exhaustive list of "data controller(s)". This seems to contradict the findings of the Court of Justice of the EU in the Planet49 case, in which the Court more broadly held that users should be informed of the "recipients or categories of recipients of the data" –regardless of whether they act as controllers or processors.

According to the Guidance, providing the identity of data controllers and a hyperlink to their respective privacy notices in the second layer of information is sufficient. Nevertheless, the first layer of information should include a clear reference to such a list (e.g. "list of companies using cookies on our website/app"). In addition, once consent is given, users must be able to access this list at any time, e.g. through a cookie icon placed at the bottom left corner of each webpage.

The CNIL asks to regularly update this list. In the event of "unsubstantial" changes to the list, making the list available through a permanent and easily accessible link alone is sufficient. However, if "substantial" changes are made to the list, then the controller must ask users to renew their consent.

Scope of consent across websites. The CNIL suggests that when visiting a single website or app, users can give their valid consent to cookies set across several websites and applications. This can be achieved on condition that the second layer of information sets out an exhaustive list of the concerned additional websites and apps. In its Q&A, the CNIL further specifies that such a situation arises when a publisher sets a cookie across the several websites it is developing or when an adtech intermediary sets a cookie across the websites on which it is present.

2. Free consent

"Free" consent implies that granting consent should be as easy as refusing to grant consent. In other words, users should be able to grant their consent or to refuse using the same technical features (e.g. toggle buttons, boxes to tick and push buttons). Consent and refusal options should also be clearly displayed in the same manner on the page.

A refusal should not lead to repeatedly asking for consent during subsequent visits to the concerned websites or apps, which would amount to constant pressure. Hence, in practice, the validity of consent should match the validity of refusal: a user's consent to cookies or refusal should have the same period of validity. Thus in both cases, once this period expires, users may be asked again to give their consent.

Lastly, the CNIL highlights that data controllers may grant users the possibility to postpone their decision whether or not to grant consent. For example, the website may display a cross in the top right corner of the consent management interface that allows users to close the interface and thus not to make any decision yet. Concretely, this amounts neither to consent nor to refusal, which means that data controllers are not allowed to drop any non-essential cookies on the user's device and must wait for the user to decide at another time.

3. Specific consent

The CNIL also allows controllers to obtain a "bundled" consent for several purposes provided that:

• Users have previously been informed of all the purposes for each cookie,
• A bundled refusal option is also made available to users next to the bundled consent
• Users may still choose to give their granular consent to different purposes (e.g. in the second layer of information)

For example, "Reject all" and "Accept all" buttons enable either bundled refusal or consent. The CNIL recommends using the same font and size for the two buttons, without one being more prominent than the other. A third button may explicitly inform users that they are entitled to give granular consent for specific purposes (e.g. "Customize my choices" or "Choice by purpose" button).

While not mentioned in the Guidance itself, the CNIL explains in its Q&A that this bundled consent may also be valid for additional websites when cookies are set across websites or apps. In this case, the first two above conditions apply, i.e. information about the list of all websites and possibility of bundled refusal. In this case, a granular consent is not required.

Lastly, the CNIL considers that granting consent to specific data controllers is a best practice –but is not legally required. Thus, specific consent to all the data controllers is not required as such.

4. Unambiguous consent

The consent mechanism must not use potentially misleading design practices that would disturb the user's understanding of the nature of his or her choice. Here the CNIL implicitly refers to a 2019 report published by its research lab on "Shaping Choices in the Digital World". This report analysed interface designs by giving concrete examples of "dark patterns" and privacy-friendly design practices –in English here.

Consent withdrawal: Users must be able to withdraw their consent at any time. In practice, the ease of withdrawal is measured through the time spent on it by users and the number of actions required. For example, publishers may choose to display a "cookie" icon on the bottom corner of all of its webpages.

Cookie lifespan: The CNIL considers that consent to cookies may only be valid for six months as a best practice –which suggests that the refusal of cookies is also valid only for six months (see above). However, the CNIL does not specify the retention period applicable to the personal data collected through cookies, which gives controllers the possibility to determine the period of retention of personal data themselves.

Proof of consent: Data controllers should be able to demonstrate that they have obtained consent individually from each user. In addition, in accordance with the accountability principle, they should document the choice of their consent management interface to demonstrate how the interface's characteristics and features allow them to obtain valid user consent, e.g. through screenshots of the interface for each website's version and regular audits.

Discrepancies between guidance issued by the Data Protection Authorities

The Guidance is the latest addition to the many soft-law or hard-law guidelines already published by EU Data Protection Authorities. This necessarily leads to some discrepancies in topics such as the validity period of consent and refusal (e.g. between the French and Spanish DPAs), the validity of bundled consent and the content of the layered approach.

These contradictions inevitably make it difficult for publishers, adtech and advertisers to implement a valid consent mechanism throughout the EU. In the end, carefully documenting the choice of the consent management interface and the integration of privacy by design and by default is key.

In parallel, the CNIL is sharpening its understanding of the adtech sector, as demonstrated by a recent post highlighting the privacy challenges in the adtech sector. The CNIL's research lab also published an article on the functioning of the RTB system.

In conclusion, the regulation of cookies and online tracking technologies continues to be one of the most complex areas of the laws, both for organizations and the regulators.