The new guidelines confirm that continuing to browse a website after its cookie banner is displayed will no longer be considered to be valid consent for cookie use in France. Operators that use cookies and trackers will have to be able to prove that they have obtained affirmative consent from the user. Enforcement of the guidelines will, however, be delayed for around a year (see the Grace Period provision below).
The Scope of the Guidelines
The new guidelines apply to all types of operations involving cookies and trackers on any type of device, including smartphones, computers, connected vehicles and any other object connected to a telecommunications network open to the public.
Giving Consent – no more soft opt in
The guidelines clarify that cookies and trackers cannot be used until the user has expressed his or her freely given, specific, informed and unambiguous consent. In order to be validly obtained, consent must fulfil the following conditions:
- Freely Given: The user should not suffer any major inconvenience if they refuse to give or withdraw their consent. The practice of blocking access to a website or a mobile application unless consent is provided does not comply with the GDPR.
- Specific: The user must give his or her consent specifically for each distinct purpose. Blanket acceptance of general terms and conditions of use does not constitute valid consent.
- Informed: Information provided to users must be clearly and simply written, enabling users to be fully informed about the different purposes of the cookies and/or trackers used. The information must be complete and conspicuously visible at the time of obtaining consent. If information is necessary for informed decision-making, it should not only be provided in terms and conditions.
- Unambiguous: Consent should require a positive action to opt in. Merely continuing to browse a website, use a mobile application or scroll down the page of a website or a mobile application can no longer be considered as valid consent. Similarly, the use of pre-checked boxes and/or the blanket acceptance of terms and conditions cannot be considered valid consent.
- Auditable: All organizations that use cookies and trackers must implement appropriate mechanisms that allow them to demonstrate, at all times, that they have validly obtained consent from users.
- Revocable: Users should be able to withdraw their consent at any time. User-friendly solutions must therefore be implemented to allow users to withdraw their consent as easily as they have given it.
Operators’ Roles and Responsibilities
An operator using cookies and trackers is considered to be a controller and is therefore fully responsible for obtaining valid consent. Third parties using cookies and trackers are independently responsible for obtaining valid consent.
Where the use of cookies and trackers involve several operators, those operators can either be considered separate controllers, joint controllers or processors. An operator is considered a joint controller when it jointly, along with one or more other operator(s) (also acting as controller(s)), determines the purposes and means of processing. Under Article 26 GDPR, joint controllers are required to establish their respective compliance obligations in a transparent manner and to enter into an arrangement (a contract) about it. The CNIL’s new guidelines specifically refer to Article 26, and state that this requirement applies, in particular, to the collection and demonstration of valid consent. An operator is considered a processor when it uses cookies and trackers exclusively on behalf of the controller and does not use the collected data for its own purposes.
Exemptions
The guidelines do not require prior consent:
- when a publisher of a website or an application uses cookies and/or trackers to measure traffic or test different versions of the site or application;
- when cookies or trackers are used exclusively to facilitate communication by electronic means; or
- when the use of cookies or trackers is strictly necessary to provide an electronic communication service specifically requested by the user.
Regarding cookies and/or trackers used to measure traffic or test different versions of the site or application, the CNIL guidelines provide that the purpose of the system measuring traffic, to be exempted, must be limited to (i) audience measurement of the content viewed in order to allow the evaluation of published content and the ergonomics of the site or application, (ii) segmentation of the website audience into cohorts in order to evaluate the effectiveness of editorial choices, without this leading to targeting a single individual and (iii) dynamic modification of a site in a global way. The personal data collected must not be cross-referenced with other processing operations (customer data or statistics on visits to other sites, for instance) or provided to third parties. The use of trackers must also be strictly limited to the production of anonymous statistics. The scope of such system must be limited to a single website or mobile application publisher and must not allow the tracking of the website user’s browsing on other websites or mobile applications.
Users must, however, still be informed about the existence of such cookies or trackers and their purpose.
Grace Period
Operators have six months from the publication of the CNIL’s final guidelines, (expected at the beginning of next year) to comply with the new rules. Notwithstanding this grace period, however, the CNIL will continue to monitor and enforce compliance with existing and unchanged data protection rules.
Authored by Patrice Navarro
