France: CNIL guidance on online cookies and trackers
The French data protection authority ('CNIL') recently issued detailed guidance on online cookies and trackers1. The guidance includes four documents: Guidelines, Recommendations, FAQs, and a specific statement on audience measurement. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, provides a detailed overview of the key takeaways from the Guidelines and the Recommendations.
Scope of Guidelines
The guidelines apply to all terminal equipment as defined in the Directive 2002/58/EC on Privacy and Electronic Communications ('ePrivacy Directive'), whatever the operating systems or software applications (such as web browsers) used.
They relate, in particular, to the use of HTTP cookies, by which read or write actions are most often performed, but also other technologies such as:
- 'local shared objects,' sometimes called 'flash cookies;'
- the 'local storage' implemented within the HTML 5 standard;
- the identifications by calculating the terminal's fingerprint or 'fingerprinting;'
- the identifiers generated by the operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc.); and
- hardware identifiers (MAC address, serial number or any other identifier device).
They also apply to many commonly used devices, such as a tablet, a fixed or mobile computer, a games console, a connected television, a connected vehicle, a voice assistant, as well as any other terminal equipment connected to a telecommunication network open to the public.
Applicability of the Recommendations
The Recommendations, and in particular the examples included in them, are neither prescriptive nor exhaustive and their sole objective is to help the professionals concerned in their process of compliance. Other methods of obtaining consent can be used, as long as they make it possible to obtain consent in accordance with the texts in force.
While the Recommendations focus on configurations for mobile and web interfaces, they can inspire and guide the development of interfaces in other contexts where consent in the sense of the ePrivacy regime is required, such as:
- connected television;
- games consoles;
- voice assistants;
- communicating objects; and
- connected vehicle.
CNIL encourages the development of standardised interfaces, operating in the same way and using a standardised vocabulary, such as to facilitate the understanding of users when they navigate on mobile sites or applications.
Any inaction or action by users other than a positive act signifying their consent must be interpreted as a refusal to consent. In this case, no read or write operation subject to consent can legally take place.
Scope of consent
When trackers subject to consent, deployed by entities other than the publisher of the site or the mobile application, allow the user's navigation to be followed beyond the site or the mobile application where those are initially deployed, CNIL strongly recommends that consent be collected for each of the sites or applications concerned by this navigation monitoring, in order to guarantee that the user is fully aware of the scope of his consent.
Whether or not a cookie wall is allowed should be assessed on a case-by-case basis. If a cookie wall is set up, the information provided to the user should clearly indicate the consequences of their choices and, in particular, the impossibility to access the content or service without consent.
Consent to read and write operations must be specific. As such, consent to these operations cannot be validly collected via a global acceptance of general conditions of use. In order to ensure the free nature of the consent given, you should ask users for their consent independently and specifically for each distinct purpose.
Offering users a global consent to a set of purposes is possible, subject to presenting, in advance, to the users all the purposes pursued, for example 'accept all,' 'refuse all.'
To allow people to choose purpose by purpose, it is possible to include a button, on the same level of information as the links or buttons, allowing to accept everything and to refuse everything, allowing access to the choice finality by purpose, for example 'customise my choices' or 'decide by purpose,' or offering to 'accept' or 'reject' purpose by purpose directly on the first level of information, e.g by inviting to click on each purpose so that a drop-down menu offers them 'accept' or 'refuse' buttons.
You should use a descriptive and intuitive name so that users can be fully aware of the possibility of making a choice by purpose.
Write the information in simple terms understandable by all that allow users to be duly informed of the different purposes of the trackers used. The information must be complete, visible, and put into evidence. A simple reference to the general conditions of use is not sufficient.
The following information must at minimum be presented to users, before obtaining their consent:
- the identity of the data controller(s);
- the purpose of the data;
- how to accept or reject trackers;
- the consequences of refusing or accepting trackers; and
- the existence of the right to withdraw consent.
An exhaustive and up-to-date list of data controllers involved must be made easily accessible to users.
CNIL encourages not to resort to techniques for masking the identity of the entity using trackers, such as subdomain delegation and also recommends that the names of the trackers used be explicit and, as far as possible, standardised regardless of the actor behind their emission.
The purposes of trackers must be presented to users before they are offered the possibility of consenting or refusing. They must be formulated in an intelligible way, in suitable language, and sufficiently clear to allow users to understand precisely what they are consenting to.
Each purpose should be highlighted in a short and prominent title, accompanied by a brief description. For example: [site/application name] [and third-party companies/our partners] 'uses/use trackers to display personalised advertising based on your browsing and profile, or [site/application name] [and third-party companies/our partners] use/use trackers to send you advertising based on your location.
In addition to the list of purposes presented on the first screen, there should be a more detailed description of these purposes, easily accessible from the consent collection interface. This information can, for example, be displayed under a drop-down button that the internet user can activate directly at the first level of information. It can also be made available by clicking on a hypertext link at the first level of information.
In order to increase transparency, a data controller may also specify the categories of data collected by associating them with the purposes they achieve.
The exhaustive and regularly updated list of those responsible for the processing(s) must be made available to users when their consent is obtained. Such a list should also be made available to users on a permanent basis, in a place easily accessible at any time on the website or mobile application, and in areas where they expect to find it, for example a static 'cookie' icon always visible or a hyperlink located at the bottom or top of the page.
It is also helpful to indicate the number of persons responsible for the processing(s) involved could be indicated at the first level of information. In addition, the role of those responsible for the processing(s) could be highlighted by grouping them into categories, which would be defined according to their activity and the purpose of the trackers used.
Consent must be manifested through positive action by the person after having been informed of the consequences of their choice and having the means to express it. Continuing to browse a website, to use a mobile application, or scroll the page of a website or an application mobile do not constitute clear positive actions equivalent to valid consent. Pre-ticked boxes cannot be considered a positive act clear to give consent.
In the absence of consent expressed by a clear positive act, the user must be considered as having refused access to his or her terminal or the entry of information in it, and appropriate systems should be in place to collect consent.
Refusal of consent
The expression of the user's refusal does not require any action on his or her part. You must ensure that the information accompanying each operable element makes it possible to express a consent or a refusal is easily understandable and does not require efforts of concentration or interpretation on the part of the user, and you must offer users the possibility of both accepting and rejecting read and/or write operations with the same degree of simplicity.
The mechanism for expressing a refusal to consent to reading and/or writing operations be accessible on the same screen and with the same ease as the mechanism for expressing consent. For example, at the stage of the first level of information, users may have the choice between two buttons presented at the same level and in the same format, on which are respectively written 'accept all' and 'refuse all.'
If refusal can be manifested by simply closing the window for collecting consent or by not interacting with it for a certain period of time, this possibility must be clearly indicated to users on this window to avoid confusion. You must ensure that choice collection interfaces do not incorporate potentially misleading design practices that lead users to believe that their consent is mandatory or that put visually more in value one choice rather than another. Use buttons and font that are the same size, have the same ease of reading, and are highlighted identically.
It must be as easy to withdraw consent as it is to give it, therefore, you must inform users in a simple and intelligible manner, even before giving their consent, of the solutions available to them to withdraw it. The solution allowing users to withdraw their consent should be readily available at all times, for example be offered via a link accessible at any time from the service concerned with a descriptive and intuitive name, such as 'management module of cookies' or 'manage my cookies' or 'cookie.'
Proof of consent
You must be able to demonstrate, at any time, that users have given their consent. If you do not collect the consent of users yourself (in particular for third party cookies), you must contractually require the other party to obtain valid consent and make proof of consent available to the other parties, so that each data controller wishing to avail itself of it can actually state.
When the refusal can be manifested by continuing navigation, the message requesting consent (for example, the window or the banner) should disappear after a short period of time, so as not to interfere with the use of the site or the application and thus not to condition the user's browsing comfort on the expression of his consent to the tracker.
- keep the choices expressed by users while browsing the site. Indeed, failing to keep these choices, users would be displayed a new consent request window on each page consulted, which could infringe their freedom of choice;
- assess how long choices be retained on a case-by-case basis, having regard to the nature of the site or application concerned and the specificities of its audience. Six months would be good practice; and
- renew consent collection at appropriate intervals, when choosing the period of validity of the consent, take into account the context, the scope of the initial consent, and the expectations of the users.
The publisher of a site which posts trackers must be considered as a controller, including when it subcontracts to third party management of these trackers set up for its own account. The body which authorises the use of trackers, including by third parties, from its site or mobile application, must ensure the effective presence of a mechanism for obtaining user consent.
In case of joint liability, in which those responsible jointly determine the purposes and means of processing, must transparently define their respective obligations in order to ensure compliance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), in particular with regard to the collection and demonstration, where applicable, of valid consent.
An actor who stores and/or accesses information stored in the terminal equipment of a user exclusively on behalf of a third party must be considered a data processor. If a processor relationship is established, the controller and the processor must establish a contract or other legal act specifying the obligations of each party, in compliance with the provisions of Article 28 of the GDPR.
Browser privacy settings
In the current technology, the possibilities of configuring browsers and operating systems alone cannot allow the user to express a valid consent. This is because browsers do not, to date, distinguish between trackers in depending on their purposes, even though this distinction may prove necessary to ensure freedom of consent. Indeed, if web browsers offer many settings allowing users to express choices in terms of cookie management and other trackers, these are generally expressed today under conditions not ensuring a sufficient level of prior information of people.
Trackers which do not require consent
The use of the same tracker for several purposes, some of which do not fall within the scope of these exemptions, requires the prior consent of the persons concerned, in the conditions recalled by the Guidelines.
The following trackers may, in particular, be regarded as exempt:
- trackers keeping the choice expressed by users on the repository of trackers;
- trackers intended for authentication with a service, including those aimed at ensuring the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;
- trackers intended to keep in memory the contents of a shopping cart on a merchant site or to invoice the user for the product(s) and/or services purchased;
- user interface customisation trackers (for example, for the choice of language or presentation of a service), when such personalisation is an intrinsic and expected element of the service;
- trackers allowing the load balancing of the concurrent equipment to a communication service;
- trackers allowing paid sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period);
- certain audience measurement trackers, subject to the reservations mentioned below; and
- storage of language preference.
Audience measurement trackers
Trackers whose purpose is limited to measuring the audience of the site or application, to meet different needs (performance measurement, detection of navigation problems, optimisation of technical performance or ergonomics, estimation of the power of the necessary servers, analysis of content consulted, etc.) are strictly necessary for the operation and day-to-day administration operations of a website or application and are therefore not subject to the legal obligation to collect the user's consent in advance.
In order to be limited to what is strictly necessary for the provision of the service, these trackers must have a purpose strictly limited to only the measurement of the audience on the site or the application for the exclusive account of the website owner.
- must not in particular allow the overall monitoring of the person browsing using different apps or browsing different website;
- should only be used to produce anonymous statistics; and
- the personal data collected cannot be cross-checked with other processing operations or transmitted to third parties, these different operations are also not necessary for the operation of the service.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia
1. Only available in French, at: https://www.cnil.fr/fr/cookies-et-autres-traceurs-la-cnil-publie-des-lignes-directrices-modificatives-et-sa-recommandation