The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt.

By Myria Saarinen and Camille Dorval

On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance (Guidance). A corrective version followed on 19 July 2019.

The Guidance clarifies “consent” under Article 82 of the French Data Protection Act (Article 82). Article 82 implements the ePrivacy Directive’s cookies rule and constitutes the foundation of the French rules requiring organizations placing non-essential cookies to provide “clear and complete” information to users and to obtain their consent to the use of cookies.

The Guidance clarifies that such consent must comply with the definition and conditions of GDPR Articles 4(11) and 7 as interpreted by the European Data Protection Board guidelines on consent. As a result, the Guidance repeals the CNIL’s 2013 guidance, pursuant to which users who continued browsing a website after being informed of cookie placement were deemed to have given consent.

How to obtain valid consent?

According to the Guidance, organizations shall not place cookies or other tracking devices or process personal data obtained through them unless users have previously positively accepted the placement in a free, specific, informed, and unambiguous manner.

The Guidance mainly restates these principles without providing real concrete applications, contrary to the ICO’s own guidance. However, a few interesting takeaways include:

  • The use of “cookie walls” (blocking access to a website unless users consent to cookies) is not an acceptable practice because consent cannot be considered to be freely given under such circumstances.
  • Offering global opt-in for cookies of the website (meaning users can opt in for cookies all at once) is acceptable, provided organizations offer global opting-in in addition to, but not in place of, the possibility of giving specific opt-in for each purpose. The possibility of opting in globally is prohibited, however, if it is bundled with the acceptance of general terms of use.
  • Informed consent requires that prior to obtaining user consent, organizations must, at a minimum, provide to users (i) the identity of the data controller(s), (ii) the purpose(s) of the processing activities, and (iii) the existence of the right to withdraw consent.
  • The use of pre-checked boxes does not amount to a clear, positive act of consent.

Which cookies may be exempted from consent?

The Guidance’s most interesting principle concerns the identification of cookies that are exempted from the opt-in requirement, which goes far beyond the ICO’s guidance.

Only cookies used for audience management purposes — including audience measurement to assess the value of the content displayed and audience segmentation into groups (so long as it does not lead to targeting one single person) to evaluate the efficiency of editorial choices — may be exempted, provided the cookies comply with the following cumulative conditions:

  • The website publisher acting as data controller or its processor must implement the cookies. In other words, third-party audience management cookies cannot benefit from the exemption and remain subject to prior consent.
  • The cookies should measure the audience of a single website or a single mobile application and must not allow the tracking of the user’s navigation when using different applications or browsing different websites.
  • Organizations must not combine personal data collected through these cookies with data obtained through other processing activities, or transmit the data to third parties. This condition excludes combination with a customer database or with audience statistics concerning other websites.
  • Only anonymous statistics may be generated.
  • The use of the IP address to track the location of the user must not provide more accurate information than the city where the user is located. This IP address must be deleted or anonymized once the geolocation is performed.
  • The cookies shall have a life duration of no longer than 13 months from initial placement. The data collected through the cookies shall not be kept for longer than 25 months from collection.

If an organization can use audience cookies without the users’ prior consent, the Guidance provides that the organization must still inform users of the processing activities before the placement of cookies and must offer users an easy opt-out mechanism.

Grace period?

The CNIL announced that the Guidance will be followed by supplemental guidance, which will specify the practical arrangements for obtaining valid consent, including by industry sectors. The CNIL will prepare this draft supplemental guidance after consultation with professional organizations and other stakeholders in the coming months. The draft supplemental guidance will then be subject to public consultation, with the aim being to publish it during the first quarter of 2020.

In an explanatory note released on its website, the CNIL announced that it will provide a 12-month grace period for organizations to update their cookie practices in line with the Guidance. However, the CNIL specifies that the grace period will only apply to effective changes under the Guidance, such as not allowing consent to be obtained via users scrolling down or continuing to browse a website, or the obligation for organizations to be able to prove that they obtained valid consent. Existing requirements from the CNIL’s 2013 guidance will not benefit from this grace period. The CNIL will ensure that organizations:

  • Obtain consent (even implicit) prior to setting cookies
  • Allow access to the service/website even should users refuse or withdraw consent for cookies
  • Provide users with an easy way to withdraw their consent

In a second explanatory note coupled with the Guidance, the CNIL specified that this grace period will span six months following the publication of its supplementary guidance on cookies. Accordingly, this grace period could run until September 2020, at the latest.

However, the non-profit organization La Quadrature du Net (which initiated the CNIL decision to fine Google), claims that this grace period will allow websites to track users without their valid consent, in violation of the GDPR requirements. The organization announced that it will refer the CNIL’s decision to provide a grace period to the French State Council in the coming weeks. This grace period may therefore not be applied/maintained, or may be reduced.