French Data Protection Authority Issues Draft Recommendations on Consent for Cookies
In Short
The Situation: On July 4, 2019, the French data protection authority ("CNIL") published revised guidelines on the implementation of cookies or similar tracking technologies in order to take into account the new requirements for consent under the GDPR. The CNIL then conducted a public consultation in order to establish recommendations providing guidance on the process for obtaining consent when implementing cookies.
The Result: The CNIL has now released its draft recommendations on consent for cookies and other tracking technologies. These recommendations, which provide practical guidance to business, are subject to public consultation until February 25, 2020.
Looking Ahead: Editors of websites and/or mobile applications should become familiar with the recommendations of the CNIL so as to validly obtain a consent for the implementation of cookies, and follow any adjustments of these recommendations resulting from the current consultation process. The CNIL announced it would start enforcing its reviewed cookies guidelines around the third quarter of 2020.
On January 14, 2020, the CNIL published draft recommendations providing practical guidance, intended for entities using cookies and similar technologies, on the conditions to validly obtain consent prior to the implementation of cookies. These recommendations are intended to help website and mobile applications editors comply with the requirements of the e-Privacy directive 2002/58/EC, as implemented under French law and interpreted by the CNIL. These requirements provide that, for cookies other than those necessary to the use of a website, consent from the website/mobile app user is required. In addition, consent must be freely given, specific, informed, and unambiguous.
In its recommendation, the CNIL stresses the importance of neutral graphic design to convey appropriate information and to avoid influencing users' decisions.
The CNIL therefore recommends distinguishing between two levels of information to be provided to the users, depending on whether information must be received before the user consents or may be provided if he or she so desires. Pursuant to a layered approach:
- On a first level of information, websites are recommended to: (i) provide clear information on the purposes of the cookies by using a short title followed by a description of the purpose concerned; (ii) display an up-to-date and complete list of entities using the cookies and their respective roles (a new consent is required when the list is updated in an substantial manner); and (iii) enable the acceptance or refusal of the cookies implementation on a purpose-by-purpose and also data controller-by-data controller basis, either by way of a pull-down menu or via a redirection link.
- On a second level of information, the CNIL also recommends: (i) informing the user on whether his or her consent applies to other websites where browsing may continue; (ii) providing a link to the privacy policy of these entities; and (iii) displaying the technical measures that enable a user to obtain the second-level information in an area of the screen that is easily noticeable by users.
The CNIL specifies that, in any event, simple and clear mechanisms should be made available to the users (via on/off sliders or unchecked check boxes) and, in particular, a simple mechanism to refuse the implementation of cookies must be provided to the users in the same level and under the same technical conditions as the mechanism made available to accept them. Moreover, the refusal or acceptance of the implementation of cookies should be recorded so as to avoid requesting new consents from users and thereby leading to a certain form of pressure that may influence the user's decision. Also, the CNIL stresses that where the user does not make a decision, no tracking technology should be implemented on the user, and no negative consequence should arise from the user's refusal of the implementation of cookies.
When consent is given and recorded, the CNIL recommends renewing the consent obtained at appropriate intervals (e.g., at the expiration of a six-month term).
Regarding proof of compliance, the CNIL stresses that entities should keep a double proof as follows:
- Individual proof of the collection of user consent, i.e., recording of the consent including a timestamp, the context of collection, the type of consent collection mechanism used, and the purposes for which consent must be given; and
- Proof that the technical mechanism used to obtain the consent is compliant and guarantees valid consent (free, specific, informed, and unambiguous). To this end, the CNIL's recommendations include frequent audits of the consent mechanism in place and/or placing in escrow the program code used by the data controller for obtaining consent.
This draft of recommendations is currently subject to public consultation until February 25, 2020, with a view to preparing the final version. Once the final recommendations are published, stakeholders will be given a transition period in order to integrate the new rules.
Editors of websites and/or mobile applications should become familiar with the CNIL's recommendations for validly obtaining consent for the implementation of cookies and should follow any adjustments of these recommendations resulting from the consultation process. The CNIL will start enforcing its guidelines on cookies consent around the third quarter of 2020.
Until the discussions on the draft ePrivacy regulation resume, and since several supervisory authorities in the European Union (in particular in the UK and Germany) have recently increased their requirements for cookie consent, the draft practical recommendations from the CNIL could create a useful precedent in terms of guidance for businesses with an online presence in several EU countries, for ensuring compliance with the rules applicable to cookies.
Six Key Takeaways
- The mechanism used to request user consent for cookies should have neutral graphic design.
- Simple and clear mechanisms should be made available to users, including a mechanism to refuse the implementation of cookies.
- On a first level of information, there should be information on the purposes of the cookies, a complete list of entities using the cookies and their respective roles, and a mechanism to enable the user to accept or refuse the implementation of cookies purpose by purpose and data controller by data controller.
- On a second level of information, there should be an information provided on the scope of the consent given (i.e., whether the consent given also covers other websites).
- Website and app editors should keep a double proof, namely individual proof of the collection of user consent and proof that the technical mechanism used to obtain the consent is compliant and guarantees valid consent.
- Given that several EU supervisory authorities have increased their requirements for cookie consent, the recommendations of the CNIL should enable businesses to better ensure compliance with the applicable rules across the European Union.