Cookies and other tracking devices: CNIL new guidelines

• updated guidelines of the previous ones adopted on July 4, 2019 (available here) to adapt them to the decision of the French Administrative Supreme Court (“Conseil d’État”) of 19 June 2020 on cookie walls;
  
  
• practical recommendations on cookies and other tracking devices (accessible here), which follows a public consultation from January to February 2020.

Industry players have 6 months to comply with the new rules, i.e. until the end of March 2021.

Overall, the French authority mainly reshaped and clarified its doctrine on cookies and remains cautious in its approach to cookie walls.

Unsurprisingly, the CNIL keeps the main principles previously enacted such as:

• the end of continued browsing, scroll, pre-ticked boxes or acceptance of terms of use as valid methods of obtaining consent;
  
  
• the obligation to list the purposes (i.e. categories of cookies) and other data controllers involved in the use of cookies;
  
  
• the ability to withdraw consent at any time, and as easily as the ability to consent;
  
  
• the obligation to keep proof of consent;
  
  
• the exemption of consent for certain technical cookies, for which the CNIL provides some non-exhaustive examples.

We summarize below the provisions that we consider relevant and/or new compared to the previous draft recommendation.

CNIL guidelines: what’s new?

Cookies walls

The CNIL previously adopted guidelines on 4 July 2019 prohibiting the practice of cookie walls.

Sought by several professional associations, the French Conseil d’Etat invalidated this measure, founding that the CNIL exceeded what it could legally do in the context of soft law instrument.

The CNIL took into account this decision and drew the consequences in its new guidelines. Without generally validating the practice of cookie walls, the authority cautiously maintains that these practices may "in some cases" impair the freedom of consent. The authority concludes that the lawfulness of cookie walls should be assessed on a "case-by-case" basis and that "the information provided to the user should clearly indicate the consequences of his/her choices, including the impossibility of accessing the content or service without consent.”

Responsibility of publishers and third parties

The CNIL reiterates that the publisher of a site or application should be qualified as the data controller and must ensure that it retains control of cookies deposited by third parties on its site or application. These third parties should nevertheless also be qualified as data controllers if they "act on their own behalf".

As additions to the previous draft recommendation - without changing its previous positions - the CNIL:

• cites the decision of the Conseil d’Etat of 6 June 2018 to state that if third parties intervene to place cookies on a site or application, the publisher is responsible to make sure that it does not involve third parties who do not comply with applicable regulations and must "take all necessary steps with them to put an end to breaches";
  
  
• also repeats the ECJ ruling of 29 July 2019 "Fashion ID" which considered the publisher and third parties as joint controllers when they jointly determine the purposes and means of the cookies used;
  
  
• recalls that if the third party partners are considered as processors, they must assist the data controller in accordance with Article 28 of the GDPR, in particular to ensure respect for the rights of the data subjects and by informing the data controller if an instruction from the latter constitutes a violation of the regulation.

Cookies exempted from consent

The French authority confirmed that certain types of cookies that are purely technical, i.e., strictly necessary for the provision of the service, are exempted from the consent requirement (for example, for authentication to a service or to store a shopping cart).

Regarding analytics cookies, the CNIL clarified and simplified the conditions for exemption of this type of cookies and published a new page on this subject on its site (accessible here).

Interestingly, the CNIL added the following passage: "the Commission considers that trackers whose purpose is limited to measuring the audience of the site or application, to meet different needs (performance measurement, detection of navigation problems, optimization of technical performance or ergonomics, estimation of the power of the servers required, analysis of the content consulted, etc.) are strictly necessary for the operation and day-to-day administration of a website or application", and would therefore be exempt from consent.

In this respect, it is necessary that:

• the purpose is carried out solely on behalf of the publisher;
  
  
• tracking technologies do not allow tracking across different sites or applications; and
  
  
• the data is only used to produce anonymous statistics, without combination with other data or communication to third parties.

Without explicit reference to the most commonly used solutions, the CNIL nevertheless specifies that: "certain audience measurement offers do not fall within the scope of the exemption, particularly when their suppliers indicate that they reuse the data for their own account. This is notably the case for several major audience measurement offers available on the market. In some cases, it may be possible to set up these tools to disable the reuse of data, check with the supplier of your tool that it is contractually committed not to reuse the data collected (...) ".

What are the practical recommendations?

Conditions of consent

Continuing its strict interpretation of consent within the meaning of Article 4 of the GDPR, the CNIL now considers that the absence of consent must be understood as an outright refusal of all non-exempted cookies. Thus, if the user does not expressly click on the consent box, the controller must record proof of this refusal and no cookie can be used.

The CNIL also confirms two important points:

• Global consent may be given, provided that there is a possibility of globally refusing all cookies (via buttons such as "accept all" and "refuse all") at the same level and without a cookie management tool design encouraging a user who is not very attentive to prefer global consent without understanding the consequences. The CNIL "strongly" recommends avoiding interfaces allowing a single click to consent and several levels of settings to be able to refuse cookies.
  
  
• In order to make it as easy to withdraw consent as to give it, at any time, it is recommended to provide the user with a link or a "cookie" icon accessible on all pages of the site or on the screen at all times to access the choice management tool.

The authority published an online summary of the conditions for consent and provides some examples of cookie banners (accessible here).

Regarding the collection of consent through browsers, the CNIL removed all the details it included in its previous draft recommendation. Thus, the issue of allowing browsers to develop mechanisms to facilitate the collection of consent is no longer under discussions on the CNIL’s part.

Proof of consent

While the principle of proof of consent remains the same, the CNIL developed some new examples to prove the validity of consent. In this respect, the authority approves the use of CMP tools which are increasingly used in practice: "Information relating to the tools implemented and their successive configurations (such as consent collection solutions, also known as CMP, for "Consent Management Platform") may be kept, time-stamped, by third parties publishing these solutions".

In addition, when third-party cookies are involved, the CNIL considers that any organization that does not itself collect consent cannot be satisfied with a contractual clause obliging its partner to collect valid consent. This partner should also be able to make available to all data controllers the proof of this consent when they rely on it so that they can all use it if necessary.

Retention period

The CNIL made it clear that it is essential to keep the user's choices, whether consent or refusal, so that he or she is not solicited again for a certain period of time. According to the authority, a 6-month period would be a good practice to follow.

The maximum validity period of 13 months for cookies has been removed from the new requirements. This recommended duration is maintained only as a condition for the exemption of audience measurement cookies.