The entry into force of the GDPR earlier than the proposed ePrivacy Regulation has challenged companies with respect to their cookie policies and their implementation.
Given the delay in the adoption of an EU-wide regulation on e-privacy, national data protection authorities have taken the initiative in publishing guidelines on cookies requirements. The publication of guidelines by the German data protection authorities, followed by the Information Commissioner’s Office (ICO) (in early July 2019), prompted the French Data Protection Authority (CNIL) to update its own recommendations on the use of cookies on 18 July 2019, and these have now been supplemented by draft recommendations on practical steps.
The purpose of the CNIL guidelines on the use of cookies and other tracking technologies dated 18 July 2019 was to supersede the CNIL’s previous – and now obsolete – recommendations, in particular with respect to the notion of valid consent. The new recommendations are deemed to provide practical guidelines from a technical standpoint. These recommendations are currently in draft form, as the CNIL has submitted them for public consultation until 25 February 2020 prior to adopting them.
Companies should take a closer look at the CNIL recommendations, as the end of the transition period is only a few months away, and then the CNIL will start enforcing its new cookies rules. Although the practical recommendations are officially “non-binding”, considering the short timeframe, they are likely to be seen as the best option available to companies looking to ensure both the compliance of their websites and the efficient management of website traffic.
Harmonisation between ICO and CNIL recommendations regarding consent requirements for the use of cookies and other trackers
The CNIL has followed the consent standards set by the ICO and the German data protection authorities: active and informed consent is now required prior to the use of cookies or any technology storing or accessing information on a user’s device.
More precisely, the CNIL recommendations stress that the GDPR rules on consent are fully applicable to the use of cookies and other trackers, which implies that a freely given, specific, informed and unambiguous indication of consent is required from users.
These clear requirements answer the main issue raised by companies regarding the status of implied consent: it is now established that silence or inaction resulting from continuous browsing on a website no longer constitutes valid consent.
Furthermore, the soft “opt-in” of having a pre-ticked box does not constitute valid consent either.
The CNIL has also stated that the obligation to obtain consent must not interfere with the requirement to obtain free consent: the user should be able to reject the use of cookies without it having an impact on their use of the relevant website. In that respect, the CNIL is stricter than the ICO with regard to the prohibition of cookie walls, which block users who do not consent to the use of cookies from accessing the website.
With respect to the requirement for “informed consent”, the CNIL makes no reference to cookie banners, but points out that consent must be given with a full understanding of the consequences of this decision. Therefore, it is the responsibility of companies to draft comprehensive and legible information, and to communicate it to users before obtaining their consent. In that respect, the CNIL recommends that the information communicated should include certain details, including an exhaustive list of the entities using cookies and their respective roles as well as the purposes of the cookies.
Unlike the ICO, the CNIL has given details of its approach to specific consent: the user should be able to give their consent to each of the different purposes for using cookies, as opposed to giving their global consent, unless they are made aware of all the purposes for which the cookies are used when first visiting the website.
In practical terms, the CNIL permits companies to create adaptable templates that allow users to give their consent to the use of each cookie for a specific purpose. This is in line with the CNIL’s decision, affirmed by the French Administrative Supreme Court (Conseil d’Etat) on 6 June 2018 (n°412589), that browser settings do not allow users to give valid consent, to the extent that trackers cannot be distinguished according to their purpose.