Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL's finalised guidelines and recommendations on cookies and other trackers

On 1 October 2020, the French data protection authority ('CNIL') published its highly anticipated amended guidelines1 ('the Guidelines') and recommendations2 ('the Recommendations') on the use of cookies and other trackers. Stakeholders now have a six-month deadline to achieve compliance with the Guidelines and the Recommendations. Sonia Cissé and Jean Fau, Counsel and Associate respectively at Linklaters LLP, break down the key practical takeaways from the Guidelines and Recommendations, focusing on updates from the draft versions, cookie walls, key compliance considerations for stakeholders, and the whens and hows of enforcement.

Julia_Sudnitskaya / Essentials collection /

Main principles confirmed by CNIL

Unsurprisingly, both the Guidelines and Recommendations reaffirm already known principles. CNIL has notably reiterated that:

  • the simple continuation of navigation on a site can no longer be considered as a valid expression of consent from the user;
  • users must consent to the deposit of trackers by a clear positive act (such as clicking on 'I accept' in a cookie banner) - if they do not do so, only essential trackers to the operation of the service may be deposited on their device;
  • users must be able to withdraw their consent easily and at any time;
  • refusing cookies should be as easy as accepting them;
  • individuals must be clearly informed of the purpose of the trackers before consenting, the consequences of accepting or refusing trackers, as well as the identity of all the actors using trackers subject to consent; and
  • organisations using trackers must be able to provide, at any time, proof of valid collection of the free, informed, specific and unambiguous consent of the user.

As expected, certain trackers of purely technical function remain exempt from the consent requirement, such as trackers used for authentication to a service; to store the contents of a shopping cart on a merchant site; or to allow paying sites to limit free access to a sample of content requested by users. The same goes, under certain circumstances, for traffic analysis cookies.

Notably, the new versions of the Guidelines and Recommendations do not mention the use of legitimate interests as a legal basis and remain therefore in line with the evolution of the long-awaited reworked draft ePrivacy Regulation.

Indeed, the Croatian Presidency's draft of the ePrivacy Regulation introduced the idea of the possibility of processing electronic communications metadata and cookies when necessary for the purpose of legitimate interests under certain circumstances (which was met with rather mixed reactions from Member States). However, the Germany EU Council Presidency (which succeeded the Croatian Presidency) removed any such mention of legitimate interests in the latest draft.

Therefore, for CNIL (and as for now per the draft ePrivacy Regulation), to lay down cookies on a user's terminal, the rule remains consent (as understood under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')), exemption or nothing.

What about 'cookie walls'?

It is worth recalling that, on 19 June 2020, the French Conseil d'Etat ruled that CNIL could not legally prohibit in its guidelines, as a general rule, the practice of 'cookie walls' (which, in a nutshell, consists of blocking access to a website where cookies are refused).

Without altering CNIL's initial position, the new version of the Guidelines simply adopts a more cautious language. CNIL notably explains that it considers that subjecting the provision of a service or access to a website to the acceptance of writing or reading operations on the user's terminal is likely (emphasis added) to infringe, in certain cases, on the freedom of consent.

Where a 'cookie wall' is set up, and subject to the lawfulness of this practice (emphasis added), which must be assessed on a case-by-case basis, the information provided to users should clearly indicate the consequences of their choices and, in particular, the impossibility of accessing the content or service in the absence of consent.

Interestingly, CNIL's approach is relatively stricter than that which is currently being pushed in the latest version of the Germany EU Council Presidency draft of the ePrivacy Regulation. Indeed, even though the current draft recognises that, in some cases, 'making access to website content dependent on consent to the use of such cookies may be considered, in the presence of a clear imbalance between the end-user and the service provider as depriving the end-user of a genuine choice,' it also notably states that making access to website content provided without direct monetary payment 'dependent on the consent of the end-user to the storage and reading of cookies for additional purposes would normally not be considered as depriving the end-user of a genuine choice if the end-user is able to choose between services, on the basis of clear, precise and user-friendly information about the purposes of cookies and similar techniques, between an offer that includes consenting to the use of cookies for additional purposes on the one hand, and an equivalent offer by the same or another provider that does not involve consenting to data use for additional purposes, on the other hand.'

Should the ePrivacy Regulation finally exit its drafting and redrafting limbo, it will be interesting to see whether it adds its own layer of intricacies to this already hot topic.

Practical recommendations

In addition to the Guidelines, CNIL has published its finalised set of fine-tuned practical Recommendations relating to the use of cookies and implementation of its Guidelines.

Before anything else, it should be noted that it still recommends that the consent collection interface should include not only an 'accept all' button but also a 'refuse all' button.

It also suggests that the websites, which generally keep the consent to the trackers for a certain period of time, also keep in the same way the refusal of users, in order not to re-interrogate the Internet users at each of their visits. The use of a cookie to remember this choice is logically exempt for consent requirements.

Furthermore, CNIL recommends that, when trackers allow tracking on websites other than the one visited, consent should be collected on each of the websites concerned by this tracking.

An interesting addition relates to the so-called 'third-party cookies' (i.e. cookies deposited on a website by a third party, for instance when using third-party plugins). CNIL explains that it considers that when a party does not collect consent itself, its obligation cannot be fulfilled by the mere existence of a contractual clause committing one of the parties to collect valid consent on behalf of the other party, as it does not make it possible to guarantee, in all circumstances, the existence of valid consent. In this respect, CNIL recommends that such a clause should be supplemented by a guarantee that the entity in charge of collecting the consent must also make available proof of obtaining valid users' consent.

Controls, sanctions and grace period

CNIL invites all stakeholders to ensure that their practices comply with the requirements of the GDPR and the (current) Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') and, of course, its Guidelines and Recommendations.

As indicated above, the deadline for compliance with the new rules should not exceed six months, i.e. by the end of March 2021 at the latest. While CNIL will give priority to support and assistance during this period and take into account operational difficulties operators may encounter, it still reserves the right to sanction certain breaches, and in particular the most serious ones. Of course, CNIL will also continue to sanction breaches of rules on cookies existing prior to the entry into force of the GDPR.

It is now clear that, with the Guidelines and Recommendations now finalised, stakeholders should, as soon as possible, start implementing these requirements if they don't want to be caught with their hand in the cookie jar.

Sonia Cissé Counsel
[email protected]
Jean Fau Associate
[email protected]
Linklaters LLP

1. Available, only in French, at:
2. Available, only in French, at: