Privacy & Information Security Law Blog

On July 18, 2019, the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and similar technologies (the “Guidelines”). As announced by the CNIL in its action plan on targeted advertising for 2019-2020, its 2013 cookie guidance is no longer valid in light of the strengthened consent requirements of the EU General Data Protection Regulation (“GDPR”). The Guidelines therefore repeal the CNIL’s 2013 recommendations on cookies and reconceive the rules applicable to the use of cookies and similar technologies in France, as they take shape from (1) the provisions of the EU ePrivacy Directive as implemented under French law, and (2) the GDPR consent requirements.

Key takeaways from the Guidelines include:

• Scope: The Guidelines apply to any technology that stores or accesses information on any user device connected to a telecommunications network open to the public, such as tablets, smartphones, laptops/computers, game consoles, and connected vehicles. This includes the use of HTTP cookies and similar technologies (e.g., HTML5 local storage, Local Shared Objects, fingerprinting techniques, identifiers generated by operating systems (IDFA, IDFV, Android ID, etc.) and device identifiers (MAC address, serial number or any other device ID)).
• Requirements for valid consent: The Guidelines  reiterate that consent must be freely given, specific, informed and unambiguous, and must result from a clear affirmative action of the user.
  • Freely given: “Cookie walls” that prevent users who do not consent from accessing a site or mobile app are unlawful.
  • Specific: Users must be able to consent to each purpose or type of cookies. If it is acceptable to seek users’ overall consent (e.g., by an “accept all” button), users also must have the possibility to give granular consent for each purpose.
  • Informed: Users must be informed of at least the identity of the data controller(s), the purpose(s) of the use of cookies and similar technologies, and the existence of their right to withdraw consent. In addition, users must be able to identify all the entities using cookies and similar technologies before giving consent. An exhaustive and regularly updated list of such entities must be made available to users when seeking consent.
• Unambiguous/clear affirmative action: Merely continuing to browse a site or mobile app or scroll down the page of a site or mobile app can no longer be considered valid consent.
• Demonstrating consent: Businesses using cookies and similar technologies must implement mechanisms that allow them to demonstrate - at any time - that valid consent was obtained. If they do not obtain consent themselves, relying on a contract term requiring one operator to obtain valid consent on behalf of the other is insufficient to show valid consent was obtained.
• Role of the different parties who contribute to the setting/reading of cookies: Following the 2018 ruling of the Court of Justice of the EU in Wirtschaftsakademie, the Guidelines recognize that, where the use of cookies and similar technologies involve several operators, those operators can be considered separate data controllers, joint data controllers or data processors. Operators acting as joint data controllers are required to execute an Article 26 GDPR agreement determining their respective compliance obligations.
• Use of browser settings: Browser settings continue to be inadequate grounds for claiming valid consent.
• Exemption for analytics cookies: Analytics cookies may be exempt from the consent requirement, subject to strict conditions.
• Sanctions: The CNIL may impose any corrective measures and sanctions on businesses subject to French law independent of the application of the GDPR cooperation and consistency mechanism, as the cookies rules result from the implementation of EU ePrivacy Directive in national law.

In terms of next steps, the Guidelines will be followed by sectoral recommendations on the practical modalities to obtain users’ consent. Once published, the recommendations will be open to public consultation. The final version of the recommendations is expected to be released in the first quarter of 2020. The CNIL will then allow for a transition period of six months to comply with the Guidelines and new recommendations.