Privacy & Information Security Law Blog

On January 14, 2020, the French Data Protection Authority (the “CNIL”) published its draft recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”). The CNIL also published a set of questions and answers on the Recommendations (“FAQs”).

The Recommendations complete the CNIL’s guidelines on cookies and similar technologies dated July 4, 2019 (the “Guidelines”). The Guidelines are intended to remind everyone of the French rules applicable to the use of cookies and similar technologies (“cookies”) in light of the strengthened consent requirements under the EU General Data Protection Regulation (“GDPR”). These rules apply to both private and public organizations to the extent they set or read cookies on devices located in France. They require users’ prior consent for the use of non-essential cookies. The Recommendations aim at guiding private and public organizations in implementing those rules by: (1) describing the practical modalities to obtain users’ consent; (2) offering concrete examples of user interface to get that consent; and (3) presenting “best practices” that go beyond said rules.

The Recommendations were drafted following a consultation with organizations representing industries in the ad-tech ecosystem and civil-society organizations with a view to identifying cookie consent solutions that would be both pragmatic and privacy friendly. The Recommendations are not binding, nor are they intended to be prescriptive and exhaustive. Organizations may use other methods for obtaining users’ consent so long as these methods comply with the Guidelines.

Key takeaways from the Recommendations include:

• Information on the purposes of the cookies: The purposes of the cookies should be briefly listed in a first layer of information. The Recommendations provide examples of that brief description for the following purposes or types of cookies: (1) targeted or personalized advertising; (2) non-personalized advertising; (3) personalized advertising based on precise geolocation; (4) customization of content or products and services provided by the web publisher; (5) social media sharing; and (6) audience measurement/analytics. This shows the level of detail expected by the CNIL when defining the different categories of cookies. Furthermore, the list of purposes referred to in the first layer of information should be supplemented by a more detailed description of those purposes, which should be directly accessible in the first layer, for example, through a drop-down button or a hyperlink.
• Information on the data controllers: An exhaustive list of data controllers should also be directly accessible in the first layer of information, for example, through a drop-down button or a hyperlink. If users click on that hyperlink or button, they should obtain specific information on the data controllers (name and link to their privacy policy). Web publishers may not have to list all the third parties setting cookies on their site or app. Only those acting as data controllers should be listed, which means that the role of the parties (as a data controller, joint data controller, or data processor) should be assessed for each cookie. This list of data controllers should be regularly updated and permanently accessible (e.g., within the cookie consent mechanism that would be available through a static icon or a hyperlink at the bottom of each web page). In the case of a “substantial” addition of data controllers, users’ consent should be sought again.
• Real choice between accepting or refusing cookies: Users must be offered a real choice between accepting or refusing cookies through two checkboxes (not pre-checked) or buttons (“accept” / “refuse,” “allow” / “deny,” etc.) or equivalents such as “on”/ “off” sliders that should be deactivated by default. These checkboxes, buttons or sliders should be of the same format and presented at the same level. Users should have such choice for each type or category of cookies.
• Possibility for users to delay that choice: A “cross” button should be inserted to allow users to close the consent interface, and not to make a choice. In that case, no cookies subject to consent should be set. Consent could be sought again until users make a choice and accept or refuse cookies.
• Overall consent covering several sites: It is acceptable to seek users’ consent for a group of sites—rather than individually for each site—if users are informed of the exact scope of their consent (i.e., if they are provided with a list of sites to which their consent applies), and if they have the opportunity to reject all cookies altogether on those sites (e.g., if a “Reject All” button is included, together with the “Accept All” button). More generally, the examples provided in the Recommendations include three buttons: “Personalize my choices” (whereby users may make a more granular choice per purpose or type of cookies), “Reject All,” and “Accept All.”
• Duration of the validity of consent: It is best practice to get users’ renewed consent at regular intervals. As a rule, the CNIL considers that a period of 6 months would be appropriate.
• Demonstrating consent: Data controllers should be able to provide (1) individual evidence of users’ consent, and (2) evidence that their consent mechanism allows the gathering of valid consent.
  • Individual evidence of consent: Consent could be recorded by using a cookie to store the user’s choice. In addition, the following information should be recorded: (1) a timestamp to show when the user consented; (2) the context in which consent was gathered (identification of the site or app concerned); (3) the type of consent mechanism used; and (4) the purposes to which the user consented.
  • Evidence of the validity of consent: Such evidence may be obtained by keeping a screenshot of the visual aspect of the mechanism on a computer or mobile device for each version of the site or app, or by carrying out regular audits of the consent mechanisms implemented on the sites or apps where consent is sought.

In terms of next steps, the Recommendations are open to public consultation until February 25, 2020. A new version of the Recommendations will then be submitted, for adoption, to the CNIL’s members during a plenary session. The CNIL will carry out inspections to enforce the Guidelines after a period of six months following the adoption of the Recommendations. In addition, the final Recommendations may be updated and completed over time to take into account new technological developments and the responses to the questions raised by professionals and individuals on this topic.

View the CNIL’s Recommendations and FAQs (currently only available in French).