The only case where an organisation can set cookies is where the internet users have accepted the deposit of cookies, other than where the cookies concerned are exempted from the prior consent requirement.
As a reminder, cookies exempted from the prior consent requirement are the cookies which:
- have the sole purpose of carrying out the transmission or facilitating the transmission of a communication over an electronic communications network, or;
- are strictly necessary for the provision of an online communication service expressly requested by the user.
In addition, you will need to be able to prove that the users' consent was validly requested and obtained. In this respect, the CNIL's recommendation suggest several solutions. For example, a screenshot of the consent mechanism implemented on the website can be kept and time-stamped for each version of the site.
To comply with the GDPR's accountability principle, you must keep up to date an exhaustive records of your cookie-related activities: this means that you must have regularly updated records, through your data processing registry, of all the cookies you use – both those requiring consent and those that do not – as well as the reasons why you consider that several cookies do not require the user's prior consent.
Breaching the CNIL guidelines could, where the violations can be read across to a breach of provisions under the GDPR, lead to fines of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The CNIL's recommendations are non-binding. However, in practice, the CNIL has a power of sanction and is likely to use its recommendations as a point of reference. Therefore, even if the non-compliance with the recommendations cannot by itself justify a sanction, they could potentially be used to characterise a non-compliance with the applicable regulations.
The CNIL announced that its 2020 guidelines must be complied with at the latest within six months of their publication, i.e. at the latest at the end of March 2021.
However, CNIL said that it will take into consideration the operational difficulties faced by cookie users due to the current pandemic period and that it will give priority to supporting them in their efforts to achieve compliance rather than before pursuing enforcement options. However, this leniency does not apply to the obligations that were already applicable prior to the entry into force of the GDPR and which were detailed in the CNIL’s former 2013 guidance.
The CNIL already announced that its 2021 controls will be carried out according to two phases:
- As a first step, the controls will be focusing on the compliance with the principles issued from the prior 2013 guidelines;
- As a second step, from the end of March 2021, the CNIL will perform controls on the application of the 2020 guidelines.
Considering the timeline set by the CNIL, your next steps should be as follows, by priority order:
- make sure that you already comply with the principles applicable since 2013, as this will be the CNIL's first main target;
- create, or ideally just update, the mapping of your cookies activities to ensure that you covered them all and reflect the result of this mapping in your data protection registry;
- identify all the cookies used on your websites for which consent is required and assess whether the consent process complies with the 2020 guidelines;
- review your privacy and cookie policies to double check that it is in line with the 2020 guidelines;
- raise the awareness of your teams, in particular those involved in marketing activities, on the requirements applicable to cookies, through internal policies and/or training;
- set and draft an internal process to renew the user's consent to cookies at relevant intervals.
To meet the CNIL's preferred practices as explained in its recommendations, organisations could implement a consent management platform which pops-up when the user first visits their website.
Information on cookies purposes
Identification of the data controllers
The consent mechanism should be set to refusal by default and sliders could be used to help users understanding their choices.
The consent management platform and all the information listed above should also be accessible at any time from the website and easy to find.
The CNIL recommendations provide other options and should be used as a point of reference to define your cookie compliance strategy.
However, while MEPs in the European Parliament adopted their position on the draft legislation back in 2017, the other EU law making body – the Council of Ministers – has yet to reach consensus internally on the proposed reforms, meaning negotiations on finalising a new Regulation have yet to commence.
Previously, the French Data Protection Act and the CNIL's documentation influenced the drafting of the GDPR, so it is possible that the CNIL's cookies guidelines influence the evolution of the draft e-Privacy Regulation.