Out-Law Guide | 27 Nov 2020 | 1:03 pm | 19 min. read
With many businesses relying on cookies and other similar technologies to provide online services and offer tailored adverts to internet users, and with guidance on their use evolving over time, legal teams operating in France need to be ready to answer questions around cookies posed by their colleagues in marketing and ensure they are prepared to respond to any queries from the Commission nationale de l'informatique et des libertés (CNIL).
We have put together some 'frequently asked questions' to guide businesses towards compliance with applicable laws, regulations, and soft-law in France.
Co-written by Anne-Sophie Mouren and Clémence Marolla of Pinsent Masons.
You must have regularly updated records, through your data processing registry, of all the cookies you use – both those requiring consent and those that do not – as well as the reasons why you consider that several cookies do not require the user's prior consent
The "consent" requirement under the e-Privacy Directive needs to be interpreted in light of EU data protection law. Indeed, the introduction of the General Data Protection Regulation (GDPR) has led data protection authorities to clarify the definition of cookies consent. Notably, the European Data Protection Board (EDBP), which is the authority composed of all the national data protection authorities from across EU member states, clarified some points regarding cookies in its guidelines issued in May 2020, on the definition of consent
In its 2019 cookies guidelines, the CNIL banned the use of cookie walls in France This led marketing and online merchant associations to challenge the ban, as well as other points of the guidelines, before the French Council of State, the highest public jurisdiction in France.
The Council of State considered that the CNIL exceeded its power by stating a general and absolute ban on 'cookie walls'. It concluded that the CNIL had exceeded its power to issue soft law and that it was not entitled to strictly prohibit a practice such as cookie walls.
The CNIL was consequently under the obligation to amend its guidelines to reflect the Council of State's decision, as further detailed in question 8 below.
The 2020 guidelines replace the CNIL's former guidelines from 4 July 2019. It is the third set of guidance published by the CNIL on cookies, with the first one dated back to 2013.
In order to have a global view on the subject, the new principles included within the 2020 guidelines must be assessed in comparison with the 2013 guidelines.
The major new requirements can be summarised as follows:
The CNIL's decision to issues recommendations containing practical examples of what it expects from cookie users is also an innovation that will help them better understanding the CNIL's expectations.
|… I am a public organisation?||Yes. Private organisations and public organisations are subject to the e-Privacy Directive, GDPR and the French Data Protection Act. The CNIL's guidelines and recommendations therefore also apply to public organisations using cookies.|
|… I only have social media buttons on my website?||Yes. These buttons rely on cookies or other technologies to track the user's activities and must therefore be used in compliance with the guidelines.|
|… I only use an audience measurement tool?||Yes. The CNIL guidelines detail under what conditions audience measurement tools can be excluded from the obligation to obtain the user's prior consent. They also remind that the rest of the GDPR obligations apply, as these tools process personal data.|
|… the cookies on my websites are only advertising cookies which are operated by third parties?||Yes. The CNIL guidelines provide that as a general rule, the website’s editors are the most likely to provide the information to the users since they are in direct contact with them. As the website editor, you have several responsibilities including but not limited to ensuring that a mechanism has been duly implemented on the website to gather the user's consent to cookies, where applicable.|
|… I outsourced the management of the cookies implemented on my website to third parties?||Yes. In principle, as the editor of a website which deposits cookies, you will qualify as the data controller and shall ensure that you process data through cookies in compliance with the guidelines and all applicable regulations.|
|… the trackers I use on my website do not collect personal data?||Yes. The CNIL expressly stated that its guidelines apply to the reading and writing operations – as listed in said guidelines – of any information stored or accessed in terminal equipment, whether or not they are personal data within the meaning of the GDPR.|
There are similarities between the new 2020 CNIL guidelines and the 2019 version it published, but the 2020 version offers useful clarifications and updates on some core concepts.
Regarding the settings of internet browsers, the CNIL simplified its wording: the guidelines now provide that since, to date, browsers settings are not enable to distinguish the trackers' purposes, it is not possible to rely on them to guarantee the freedom of consent.
The CNIL also provides detailed information on trackers that do not require consent. Previously, the guidelines were only focusing on audience measurement cookies. The 2020 guidelines enlist all the cookies exempted from consent, including audience measurement cookies meeting specific conditions.
Where cookies require the data subject's consent, that consent must comply with Article 82 of the French Data Protection Act and Article 4 of the GDPR. This means that the user must have given their consent to the deposit of cookies under the following conditions:
You should always ensure that the following information is provided to your users before gathering their consent:
In the CNIL's guidelines, the authority no longer states that cookie walls are prohibited: it tempered its position by stating that cookie walls are likely to infringe in some cases the freedom of consent, but that their lawfulness shall be assessed on a case-by-case basis.
The CNIL has contemplated situations where cookie walls might be used and declared that, in such cases, and subject to the lawfulness of this practice which shall be assessed on a case-by-case basis, the users must be clearly informed of the consequences of their choices, and especially of the fact that they will not be able to access the content or service without consent.
To summarise, the CNIL has reframed what it previously said was a prohibition on cookie walls into an extremely light acknowledgement of their potential lawfulness, depending on the circumstances and provided that the conditions of a free consent are met. The CNIL clearly reserves its right to assess each situation separately to check whether the cookie walls used are lawful under French law or not.
We will need to wait for the CNIL to issue specific decisions, and potential sanctions, on cookie walls in the future to better understand what practices it considers as lawful or not.
In the meantime, businesses considering using cookie walls in France should proceed with precaution.
|… gather the consent of users through my T&Cs tick box?||No. This is because the consent to cookies would not be specific, and because the consent would not be considered as given freely. See our answer to question 6 for additional details.|
|… consider that by browsing or scrolling my website, users have given their valid consent to cookies?||No. The CNIL specifically provides that browsing or scrolling a website cannot be considered as a clear and positive action qualifying as a valid consent.|
|… request the user's consent to cookies each time the user visits my website?||No, except in very specific situations that require to be documented and justified. The CNIL considers that a consent renewal period must be set on a case by case basis, which means that the user's consent must not be requested before the expiry of said renewal period. In this respect, the CNIL considers that a good practice is to remember its user's choices for six months.|
|… rely on the user's navigation settings?||No. The CNIL considers that internet browser settings cannot guarantee that the consent of the user is valid according to the conditions around consent set by the GDPR. However, should technology evolve, this could change.|
|… start setting non-essential cookies on my users' devices before consent is obtained?||No. Cookies that are non-essential – i.e. cookies that are not exempted from the consent requirement – should not be set until consent has been expressly given.|
The only case where an organisation can set cookies is where the internet users have accepted the deposit of cookies, other than where the cookies concerned are exempted from the prior consent requirement.
As a reminder, cookies exempted from the prior consent requirement are the cookies which:
In addition, you will need to be able to prove that the users' consent was validly requested and obtained. In this respect, the CNIL's recommendation suggest several solutions. For example, a screenshot of the consent mechanism implemented on the website can be kept and time-stamped for each version of the site.
To comply with the GDPR's accountability principle, you must keep up to date an exhaustive records of your cookie-related activities: this means that you must have regularly updated records, through your data processing registry, of all the cookies you use – both those requiring consent and those that do not – as well as the reasons why you consider that several cookies do not require the user's prior consent.
Breaching the CNIL guidelines could, where the violations can be read across to a breach of provisions under the GDPR, lead to fines of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The CNIL's recommendations are non-binding. However, in practice, the CNIL has a power of sanction and is likely to use its recommendations as a point of reference. Therefore, even if the non-compliance with the recommendations cannot by itself justify a sanction, they could potentially be used to characterise a non-compliance with the applicable regulations.
The CNIL announced that its 2020 guidelines must be complied with at the latest within six months of their publication, i.e. at the latest at the end of March 2021.
However, CNIL said that it will take into consideration the operational difficulties faced by cookie users due to the current pandemic period and that it will give priority to supporting them in their efforts to achieve compliance rather than before pursuing enforcement options. However, this leniency does not apply to the obligations that were already applicable prior to the entry into force of the GDPR and which were detailed in the CNIL’s former 2013 guidance.
The CNIL already announced that its 2021 controls will be carried out according to two phases:
Considering the timeline set by the CNIL, your next steps should be as follows, by priority order:
To meet the CNIL's preferred practices as explained in its recommendations, organisations could implement a consent management platform which pops-up when the user first visits their website.
The consent mechanism should be set to refusal by default and sliders could be used to help users understanding their choices.
The consent management platform and all the information listed above should also be accessible at any time from the website and easy to find.
The CNIL recommendations provide other options and should be used as a point of reference to define your cookie compliance strategy.
However, while MEPs in the European Parliament adopted their position on the draft legislation back in 2017, the other EU law making body – the Council of Ministers – has yet to reach consensus internally on the proposed reforms, meaning negotiations on finalising a new Regulation have yet to commence.
Previously, the French Data Protection Act and the CNIL's documentation influenced the drafting of the GDPR, so it is possible that the CNIL's cookies guidelines influence the evolution of the draft e-Privacy Regulation.