On 19 July the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020).
The Scope of the Guidelines
The new guidelines apply to all types of operations involving cookies and trackers on any type of device, including smartphones, computers, connected vehicles and any other object connected to a telecommunications network open to the public.
Giving Consent – no more soft opt in
The guidelines clarify that cookies and trackers cannot be used until the user has expressed his or her freely given, specific, informed and unambiguous consent. In order to be validly obtained, consent must fulfil the following conditions:
- Freely Given: The user should not suffer any major inconvenience if they refuse to give or withdraw their consent. The practice of blocking access to a website or a mobile application unless consent is provided does not comply with the GDPR.
- Specific: The user must give his or her consent specifically for each distinct purpose. Blanket acceptance of general terms and conditions of use does not constitute valid consent.
- Informed: Information provided to users must be clearly and simply written, enabling users to be fully informed about the different purposes of the cookies and/or trackers used. The information must be complete and conspicuously visible at the time of obtaining consent. If information is necessary for informed decision-making, it should not only be provided in terms and conditions.
- Unambiguous: Consent should require a positive action to opt in. Merely continuing to browse a website, use a mobile application or scroll down the page of a website or a mobile application can no longer be considered as valid consent. Similarly, the use of pre-checked boxes and/or the blanket acceptance of terms and conditions cannot be considered valid consent.
- Revocable: Users should be able to withdraw their consent at any time. User-friendly solutions must therefore be implemented to allow users to withdraw their consent as easily as they have given it.
Operators’ Roles and Responsibilities
An operator using cookies and trackers is considered to be a controller and is therefore fully responsible for obtaining valid consent. Third parties using cookies and trackers are independently responsible for obtaining valid consent.
The guidelines do not require prior consent:
- when cookies or trackers are used exclusively to facilitate communication by electronic means; or
Users must, however, still be informed about the existence of such cookies or trackers and their purpose.
Operators have six months from the publication of the CNIL’s final guidelines, (expected at the beginning of next year) to comply with the new rules. Notwithstanding this grace period, however, the CNIL will continue to monitor and enforce compliance with existing and unchanged data protection rules.