France: CNIL's finalised guidelines and recommendations on cookies and other trackers
Main principles confirmed by CNIL
Unsurprisingly, both the Guidelines and Recommendations reaffirm already known principles. CNIL has notably reiterated that:
- the simple continuation of navigation on a site can no longer be considered as a valid expression of consent from the user;
- users must consent to the deposit of trackers by a clear positive act (such as clicking on 'I accept' in a cookie banner) - if they do not do so, only essential trackers to the operation of the service may be deposited on their device;
- users must be able to withdraw their consent easily and at any time;
- refusing cookies should be as easy as accepting them;
- individuals must be clearly informed of the purpose of the trackers before consenting, the consequences of accepting or refusing trackers, as well as the identity of all the actors using trackers subject to consent; and
- organisations using trackers must be able to provide, at any time, proof of valid collection of the free, informed, specific and unambiguous consent of the user.
As expected, certain trackers of purely technical function remain exempt from the consent requirement, such as trackers used for authentication to a service; to store the contents of a shopping cart on a merchant site; or to allow paying sites to limit free access to a sample of content requested by users. The same goes, under certain circumstances, for traffic analysis cookies.
Notably, the new versions of the Guidelines and Recommendations do not mention the use of legitimate interests as a legal basis and remain therefore in line with the evolution of the long-awaited reworked draft ePrivacy Regulation.
Indeed, the Croatian Presidency's draft of the ePrivacy Regulation introduced the idea of the possibility of processing electronic communications metadata and cookies when necessary for the purpose of legitimate interests under certain circumstances (which was met with rather mixed reactions from Member States). However, the Germany EU Council Presidency (which succeeded the Croatian Presidency) removed any such mention of legitimate interests in the latest draft.
Therefore, for CNIL (and as for now per the draft ePrivacy Regulation), to lay down cookies on a user's terminal, the rule remains consent (as understood under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')), exemption or nothing.
What about 'cookie walls'?
It is worth recalling that, on 19 June 2020, the French Conseil d'Etat ruled that CNIL could not legally prohibit in its guidelines, as a general rule, the practice of 'cookie walls' (which, in a nutshell, consists of blocking access to a website where cookies are refused).
Without altering CNIL's initial position, the new version of the Guidelines simply adopts a more cautious language. CNIL notably explains that it considers that subjecting the provision of a service or access to a website to the acceptance of writing or reading operations on the user's terminal is likely (emphasis added) to infringe, in certain cases, on the freedom of consent.
Where a 'cookie wall' is set up, and subject to the lawfulness of this practice (emphasis added), which must be assessed on a case-by-case basis, the information provided to users should clearly indicate the consequences of their choices and, in particular, the impossibility of accessing the content or service in the absence of consent.
Should the ePrivacy Regulation finally exit its drafting and redrafting limbo, it will be interesting to see whether it adds its own layer of intricacies to this already hot topic.
Before anything else, it should be noted that it still recommends that the consent collection interface should include not only an 'accept all' button but also a 'refuse all' button.
It also suggests that the websites, which generally keep the consent to the trackers for a certain period of time, also keep in the same way the refusal of users, in order not to re-interrogate the Internet users at each of their visits. The use of a cookie to remember this choice is logically exempt for consent requirements.
Furthermore, CNIL recommends that, when trackers allow tracking on websites other than the one visited, consent should be collected on each of the websites concerned by this tracking.
An interesting addition relates to the so-called 'third-party cookies' (i.e. cookies deposited on a website by a third party, for instance when using third-party plugins). CNIL explains that it considers that when a party does not collect consent itself, its obligation cannot be fulfilled by the mere existence of a contractual clause committing one of the parties to collect valid consent on behalf of the other party, as it does not make it possible to guarantee, in all circumstances, the existence of valid consent. In this respect, CNIL recommends that such a clause should be supplemented by a guarantee that the entity in charge of collecting the consent must also make available proof of obtaining valid users' consent.
Controls, sanctions and grace period
CNIL invites all stakeholders to ensure that their practices comply with the requirements of the GDPR and the (current) Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') and, of course, its Guidelines and Recommendations.
As indicated above, the deadline for compliance with the new rules should not exceed six months, i.e. by the end of March 2021 at the latest. While CNIL will give priority to support and assistance during this period and take into account operational difficulties operators may encounter, it still reserves the right to sanction certain breaches, and in particular the most serious ones. Of course, CNIL will also continue to sanction breaches of rules on cookies existing prior to the entry into force of the GDPR.
It is now clear that, with the Guidelines and Recommendations now finalised, stakeholders should, as soon as possible, start implementing these requirements if they don't want to be caught with their hand in the cookie jar.
1. Available, only in French, at: https://www.cnil.fr/sites/default/files/atoms/files/ligne-directrice-cookies-et-autres-traceurs.pdf
2. Available, only in French, at: https://www.cnil.fr/sites/default/files/atoms/files/recommandation-cookies-et-autres-traceurs.pdf