France: CNIL adopts final recommendations and amended guidelines on cookies and other trackers
The French data protection authority ('CNIL') announced, on 1 October 2020, that it had adopted, on 17 September 2020, its amended guidelines on cookies ('the Amended Guidelines') and its final recommendations on cookies ('the Recommendations'), as well as publishing frequently asked questions ('the FAQs') and guidance on the evolution of rules on the same. In particular, CNIL noted that, in order to comply with the the Conseil d'Etat's decision which partially annulled CNIL's cookies guidelines of 4 July 2019, CNIL has now adopted the Amended Guidelines, repealing the previous guidelines of 4 July 2019 on cookies and other trackers. Moreover, CNIL stated that both the Amended Guidelines and the Recommendations are intended to allow operators in the advertising sector and internet users to have more control over the use of online trackers.
The Amended Guidelines
The Amended Guidelines provide, among other things, the following:
- cookie walls, which is the practice of blocking content for users who have not consented to cookies, are likely to undermine the freedom of users to consent; therefore, while CNIL does not ban cookie walls, it highlights that the lawfulness of cookie walls must be assessed on a case-by-case basis;
- simple navigation of a website does not constitute consent because consent must involve a clear affirmative action on the users' behalf;
- refusing the use of online trackers must be as easy as accepting them and users must not be subjected to complex procedures for rejecting online trackers;
- trackers that are exempt from the requirement of consent include trackers used for authentication of users or which preserve the content of an online shopping cart.
In addition, CNIL noted that the Recommendations aim to guide professionals on the application of cookies and other trackers by providing examples of ways of collecting valid consent to ensure compliance with Article 82 of the Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR), which governs the obligation to obtain consent for processing information stored in users' terminal equipment.
More specifically, the Recommendations include practical information and examples with regards to, inter alia:
- providing necessary information to users before obtaining their consent;
- the interface for refusing or withdrawing consent;
- proof of consent;
- operations exempt from the requirement of consent; and
- measures to ensure the transparent use of online trackers
Lastly, in terms of compliance with the rules on cookies and online trackers, CNIL stated that all actors concerned must ensure that they comply with the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') by the end of March 2021 while taking into account any operational difficulties.
You can read the press release here, the Amended Guidelines here, the Recommendation here, the FAQs here, the guidance on the evolution of the rules on cookies here, the guidance on bringing websites into compliance with the rules on cookies and tracers here, and the guidance on obtaining information on the navigation of internet users here, all only available in French.