The French Data Protection Authority (“CNIL”) published two decisions on 1 October 2020:
Industry players have 6 months to comply with the new rules, i.e. until the end of March 2021.
Overall, the French authority mainly reshaped and clarified its doctrine on cookies and remains cautious in its approach to cookie walls.
Unsurprisingly, the CNIL keeps the main principles previously enacted such as:
We summarize below the provisions that we consider relevant and/or new compared to the previous draft recommendation.
Cookies walls
The CNIL previously adopted guidelines on 4 July 2019 prohibiting the practice of cookie walls.
Sought by several professional associations, the French Conseil d’Etat invalidated this measure, founding that the CNIL exceeded what it could legally do in the context of soft law instrument.
The CNIL took into account this decision and drew the consequences in its new guidelines. Without generally validating the practice of cookie walls, the authority cautiously maintains that these practices may "in some cases" impair the freedom of consent. The authority concludes that the lawfulness of cookie walls should be assessed on a "case-by-case" basis and that "the information provided to the user should clearly indicate the consequences of his/her choices, including the impossibility of accessing the content or service without consent.”
Responsibility of publishers and third parties
The CNIL reiterates that the publisher of a site or application should be qualified as the data controller and must ensure that it retains control of cookies deposited by third parties on its site or application. These third parties should nevertheless also be qualified as data controllers if they "act on their own behalf".
As additions to the previous draft recommendation - without changing its previous positions - the CNIL:
Cookies exempted from consent
The French authority confirmed that certain types of cookies that are purely technical, i.e., strictly necessary for the provision of the service, are exempted from the consent requirement (for example, for authentication to a service or to store a shopping cart).
Regarding analytics cookies, the CNIL clarified and simplified the conditions for exemption of this type of cookies and published a new page on this subject on its site (accessible here).
Interestingly, the CNIL added the following passage: "the Commission considers that trackers whose purpose is limited to measuring the audience of the site or application, to meet different needs (performance measurement, detection of navigation problems, optimization of technical performance or ergonomics, estimation of the power of the servers required, analysis of the content consulted, etc.) are strictly necessary for the operation and day-to-day administration of a website or application", and would therefore be exempt from consent.
In this respect, it is necessary that:
Without explicit reference to the most commonly used solutions, the CNIL nevertheless specifies that: "certain audience measurement offers do not fall within the scope of the exemption, particularly when their suppliers indicate that they reuse the data for their own account. This is notably the case for several major audience measurement offers available on the market. In some cases, it may be possible to set up these tools to disable the reuse of data, check with the supplier of your tool that it is contractually committed not to reuse the data collected (...) ".
Conditions of consent
Continuing its strict interpretation of consent within the meaning of Article 4 of the GDPR, the CNIL now considers that the absence of consent must be understood as an outright refusal of all non-exempted cookies. Thus, if the user does not expressly click on the consent box, the controller must record proof of this refusal and no cookie can be used.
The CNIL also confirms two important points:
The authority published an online summary of the conditions for consent and provides some examples of cookie banners (accessible here).
Regarding the collection of consent through browsers, the CNIL removed all the details it included in its previous draft recommendation. Thus, the issue of allowing browsers to develop mechanisms to facilitate the collection of consent is no longer under discussions on the CNIL’s part.
Proof of consent
While the principle of proof of consent remains the same, the CNIL developed some new examples to prove the validity of consent. In this respect, the authority approves the use of CMP tools which are increasingly used in practice: "Information relating to the tools implemented and their successive configurations (such as consent collection solutions, also known as CMP, for "Consent Management Platform") may be kept, time-stamped, by third parties publishing these solutions".
In addition, when third-party cookies are involved, the CNIL considers that any organization that does not itself collect consent cannot be satisfied with a contractual clause obliging its partner to collect valid consent. This partner should also be able to make available to all data controllers the proof of this consent when they rely on it so that they can all use it if necessary.
Retention period
The CNIL made it clear that it is essential to keep the user's choices, whether consent or refusal, so that he or she is not solicited again for a certain period of time. According to the authority, a 6-month period would be a good practice to follow.
The maximum validity period of 13 months for cookies has been removed from the new requirements. This recommended duration is maintained only as a condition for the exemption of audience measurement cookies.