ICO and CNIL revised cookies guidelines: convergence and divergence

By Gabriel Voisin, Ruth Boardman, Dr. Simon Assion, Clara Clark Nevola

08-2019

In July 2019, the UK (ICO) and French (CNIL) Data Protection Authorities published new guidance on the use of cookies and other internet tracking technologies.

In March 2019, the German conference of supervisory authorities published guidance on internet tracking. There is also additional German state level guidance. The table below outlines the respective differences and similarities.

Similarities

Rules applicable to cookies only?

No, the authorities consider that the rules apply to any technology that stores or accesses information on the user’s device (e.g. pixels, SDK in mobile applications, local objects, browser fingerprinting technologies, etc). In the case of the German guidance, the technology must also involve processing of personal data; so long as that is the case, then the rules will apply to any of the types of technology listed above.

Implied consent

All authorities stress that if consent is required, users must give specific, freely given and unambiguous consent before the respective activity commences. The authorities highlight that a user continuing to browse a website does not amount to that user's consent.

Granular consent

The French and UK authorities are clear that T&Cs cannot be used as a method for obtaining consent, as this breaches art.7(2) of the GDPR (need for clearly distinguishable DP consents). The German authorities did not comment on this, but likely agree.

The consent must cover each purpose for which personal data will be processed (i.e. each purpose for which cookies are used). The UK & French authorities accept that organisations can offer a global consent for all cookies for which consent is required in their first consent layers. German authorities do not comment on this.

The CNIL also requires that a second layer allows the user to give specific consent to each purpose separately. This is not spelt out in the ICO guidance but, based on ICO's own practice, is likely to be regarded as best practice. The German authorities require granular consent, but do not specify whether this should be part of the first layer or could be moved to a second layer.

List of parties

In order for consent to be informed, the user must be able to identify all parties processing their data. This means that organisations should name all parties who will rely on users' consent.

Browser settings

The view of ICO and the CNIL is that, currently, relying solely on browser settings is not enough to have valid consent. Both consider that in the future, browser settings are likely to be adapted to ensure valid consent can be collected through them. German authorities do not specifically comment on the subject, but likely agree with this view.

Territorial scope

Whenever personal data is processed, then the territorial scope rules in Article 3 of the GDPR apply. This is stated in the ICO guidance, but not in the CNIL and German guidance (although the French and German authorities follow the same approach in practice). This means that the guidance applies to use of cookies carried out in the context of the activities of UK, French or German established controllers or processors (as applicable) AND to any organisation which is based outside the EEA and which uses cookies in order to monitor the behaviour of individuals in the UK, Germany, or France, AND where it is apparent that the organisation intends to offer goods or services to such individuals.

Note that Brexit will also affect this. In the event of a no-deal Brexit, then the UK cookie guidance would also apply to EEA based organisations which use cookies to target individuals in the UK etc & the French/German guidance would apply to UK organisations which use cookies to target individuals in France and /or Germany.

Differences

Issues

France

UK

Germany

Grace period

Yes, companies are expected to comply with the new rules 6 months after the publication of a (yet to be issued) opinion from the CNIL discussing how to obtain consent in practice. The CNIL expects this opinion to be in a final form in the course of the first quarter of 2020.

No

No

Are cookie walls allowed?

No. Cookie walls are not compliant as the user would suffer adverse consequences if they refused to accept.

ICO notes that consent which is forced via a cookie wall is “unlikely to be valid”. However, it also notes that GDPR must be balanced against other rights- including freedom of expression and freedom to conduct a business. ICO seems to be ‘sitting on the fence’ on this – at least for the moment.

No, similar to the CNIL

Do analytic cookies require consent?

Not always. Certain analytic cookies can be exempted from prior consent requirements if they meet a list of cumulative requirements provided by the CNIL.

Yes, there is no exception. Though ICO states that it is "unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals" and first party analytics cookies are given as an example of cookies that are potentially low risk.

No, unless they lead to a transfer of personal data to a third party. Even in that cases likely no consent would be necessary if users can easily opt-out from the data transfer to the third party.

Cross-site or cross-device tracking also likely require consent.

Lawful basis for subsequent processing of personal data

Unlike ICO, the CNIL does not suggest that consent would be the only possible legal basis for the subsequent processing of personal data.

For ICO, in most circumstances, legitimate interest is not the appropriate lawful basis for the processing of personal data relating to cookies. Because consent is required under ePrivacy rules, consent should also be the legal basis under GDPR. Relying on legitimate interests when GDPR-compliant consent is already in place would be unnecessary, and would cause confusion to users.

Legitimate interests would never be available for profiling related processing of personal data.

Like the CNIL, the German authorities take the view that consent is not always required. They mention contract performance (Article 6(1)(b) GDPR) and the balance-of-interests test (Article 6(1)(f) GDPR) as further possible legal bases.

Prominence of options given to users

No specific guidance. More might be said on this topic in the (yet to be issued) opinion from the CNIL discussing how to obtain consent in practice.

Organisations emphasising the ‘agree’/‘allow’ cookie options over the ‘reject’/‘block’ cookie options influences users towards the ‘accept’ option. This is not a compliant way to collect consent. The same would be true if the ‘reject’/‘block’ option were located in a second layer and the ‘agree’/‘allow’ cookie option were available in the first layer.

A simple banner with cookie information and an “OK” button would not be sufficient; the consent must be recognizable as such. This means that the banner must list specifically all data processing activities that require consent (and not any other), and that users must be able to decline their consent. The German authorities require granular options (for each data processing activity), but do not specify whether these options can be part of a multiple-layer concept (where a simple “accept all” option is complemented with more granular “refuse” options on the second layer).

Cookie lifespan and retention periods

Analytic cookies benefitting from the CNIL prior-consent exemption must not exceed 13 months. Information collected through the trackers can be kept for a maximum of 25 months.

All other cookies are not subject to a prescribed lifespan requirement.

The lifespan of cookies must be proportionate in relation to the intended outcome and limited to what is necessary to achieve the purpose.

The maximum possible technical duration of a cookie (e.g. “31/12/9999”) would not be regarded as proportionate in any circumstances.

German authorities do not specify the lifespan of cookies, but take the view that a shorter lifespan (aka “recognition period”) is more likely to meet the requirements of the balance-of-interests test (Article 6(1)(f) GDPR).