On January 14, 2020, the French Data Protection Authority (the “CNIL”) published its draft recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”). The CNIL also published a set of questions and answers on the Recommendations (“FAQs”).
The Recommendations complete the CNIL’s guidelines on cookies and similar technologies dated July 4, 2019 (the “Guidelines”). The Guidelines are intended to remind everyone of the French rules applicable to the use of cookies and similar technologies (“cookies”) in light of the strengthened consent requirements under the EU General Data Protection Regulation (“GDPR”). These rules apply to both private and public organizations to the extent they set or read cookies on devices located in France. They require users’ prior consent for the use of non-essential cookies. The Recommendations aim at guiding private and public organizations in implementing those rules by: (1) describing the practical modalities to obtain users’ consent; (2) offering concrete examples of user interface to get that consent; and (3) presenting “best practices” that go beyond said rules.
The Recommendations were drafted following a consultation with organizations representing industries in the ad-tech ecosystem and civil-society organizations with a view to identifying cookie consent solutions that would be both pragmatic and privacy friendly. The Recommendations are not binding, nor are they intended to be prescriptive and exhaustive. Organizations may use other methods for obtaining users’ consent so long as these methods comply with the Guidelines.
Key takeaways from the Recommendations include:
- Information on the purposes of the cookies: The purposes of the cookies should be briefly listed in a first layer of information. The Recommendations provide examples of that brief description for the following purposes or types of cookies: (1) targeted or personalized advertising; (2) non-personalized advertising; (3) personalized advertising based on precise geolocation; (4) customization of content or products and services provided by the web publisher; (5) social media sharing; and (6) audience measurement/analytics. This shows the level of detail expected by the CNIL when defining the different categories of cookies. Furthermore, the list of purposes referred to in the first layer of information should be supplemented by a more detailed description of those purposes, which should be directly accessible in the first layer, for example, through a drop-down button or a hyperlink.
- Information on the data controllers: An exhaustive list of data controllers should also be directly accessible in the first layer of information, for example, through a drop-down button or a hyperlink. If users click on that hyperlink or button, they should obtain specific information on the data controllers (name and link to their privacy policy). Web publishers may not have to list all the third parties setting cookies on their site or app. Only those acting as data controllers should be listed, which means that the role of the parties (as a data controller, joint data controller, or data processor) should be assessed for each cookie. This list of data controllers should be regularly updated and permanently accessible (e.g., within the cookie consent mechanism that would be available through a static icon or a hyperlink at the bottom of each web page). In the case of a “substantial” addition of data controllers, users’ consent should be sought again.
- Real choice between accepting or refusing cookies: Users must be offered a real choice between accepting or refusing cookies through two checkboxes (not pre-checked) or buttons (“accept” / “refuse,” “allow” / “deny,” etc.) or equivalents such as “on”/ “off” sliders that should be deactivated by default. These checkboxes, buttons or sliders should be of the same format and presented at the same level. Users should have such choice for each type or category of cookies.
- Possibility for users to delay that choice: A “cross” button should be inserted to allow users to close the consent interface, and not to make a choice. In that case, no cookies subject to consent should be set. Consent could be sought again until users make a choice and accept or refuse cookies.
- Overall consent covering several sites: It is acceptable to seek users’ consent for a group of sites—rather than individually for each site—if users are informed of the exact scope of their consent (i.e., if they are provided with a list of sites to which their consent applies), and if they have the opportunity to reject all cookies altogether on those sites (e.g., if a “Reject All” button is included, together with the “Accept All” button). More generally, the examples provided in the Recommendations include three buttons: “Personalize my choices” (whereby users may make a more granular choice per purpose or type of cookies), “Reject All,” and “Accept All.”
- Duration of the validity of consent: It is best practice to get users’ renewed consent at regular intervals. As a rule, the CNIL considers that a period of 6 months would be appropriate.
- Demonstrating consent: Data controllers should be able to provide (1) individual evidence of users’ consent, and (2) evidence that their consent mechanism allows the gathering of valid consent.
- Individual evidence of consent: Consent could be recorded by using a cookie to store the user’s choice. In addition, the following information should be recorded: (1) a timestamp to show when the user consented; (2) the context in which consent was gathered (identification of the site or app concerned); (3) the type of consent mechanism used; and (4) the purposes to which the user consented.
- Evidence of the validity of consent: Such evidence may be obtained by keeping a screenshot of the visual aspect of the mechanism on a computer or mobile device for each version of the site or app, or by carrying out regular audits of the consent mechanisms implemented on the sites or apps where consent is sought.
In terms of next steps, the Recommendations are open to public consultation until February 25, 2020. A new version of the Recommendations will then be submitted, for adoption, to the CNIL’s members during a plenary session. The CNIL will carry out inspections to enforce the Guidelines after a period of six months following the adoption of the Recommendations. In addition, the final Recommendations may be updated and completed over time to take into account new technological developments and the responses to the questions raised by professionals and individuals on this topic.
View the CNIL’s Recommendations and FAQs (currently only available in French).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code