With many businesses relying on cookies and other similar technologies to provide online services and offer tailored adverts to internet users, and with guidance on their use evolving over time, legal teams operating in France need to be ready to answer questions around cookies posed by their colleagues in marketing and ensure they are prepared to respond to any queries from the Commission nationale de l'informatique et des libertés (CNIL).
We have put together some 'frequently asked questions' to guide businesses towards compliance with applicable laws, regulations, and soft-law in France.
Co-written by Anne-Sophie Mouren and Clémence Marolla of Pinsent Masons.
Anne-Sophie Mouren
Managing Senior Associate
You must have regularly updated records, through your data processing registry, of all the cookies you use – both those requiring consent and those that do not – as well as the reasons why you consider that several cookies do not require the user's prior consent
The use of cookies to track the browsing and interests of web users has become predominant. EU data protection authorities are worried that data subjects are not always informed or have properly consented to the deposit of cookies on their devices.
The concept of 'consent' is central to 'cookies law' – more formally known as the e-Privacy Directive – in the EU. In general, businesses wishing to use cookies "to store information or to gain access to information stored in the terminal equipment of a subscriber or user" must obtain that individual's consent to do so, although exceptions exist to the need for consent where the activity is 'strictly necessary' or solely relates to the transmission of communication over the network.
The "consent" requirement under the e-Privacy Directive needs to be interpreted in light of EU data protection law. Indeed, the introduction of the General Data Protection Regulation (GDPR) has led data protection authorities to clarify the definition of cookies consent. Notably, the European Data Protection Board (EDBP), which is the authority composed of all the national data protection authorities from across EU member states, clarified some points regarding cookies in its guidelines issued in May 2020, on the definition of consent
Demonstrating its willingness to further protect internet users, the CNIL adopted new guidelines on 17 September 2020 regarding the use of cookies and other trackers (the CNIL guidelines).
The CNIL also issued recommendations (the CNIL recommendations) to illustrate the principles that are provided in the guidelines. The CNIL recommendations provide interesting examples of practical implementations meeting the CNIL’s expectations regarding the use of cookies, including how to present the cookies' purposes; and what consent mechanisms should look like. These recommendations are non-binding and only aim to provide professionals with good practices to follow.
In its 2019 cookies guidelines, the CNIL banned the use of cookie walls in France This led marketing and online merchant associations to challenge the ban, as well as other points of the guidelines, before the French Council of State, the highest public jurisdiction in France.
The Council of State considered that the CNIL exceeded its power by stating a general and absolute ban on 'cookie walls'. It concluded that the CNIL had exceeded its power to issue soft law and that it was not entitled to strictly prohibit a practice such as cookie walls.
The CNIL was consequently under the obligation to amend its guidelines to reflect the Council of State's decision, as further detailed in question 8 below.
The 2020 guidelines replace the CNIL's former guidelines from 4 July 2019. It is the third set of guidance published by the CNIL on cookies, with the first one dated back to 2013.
In order to have a global view on the subject, the new principles included within the 2020 guidelines must be assessed in comparison with the 2013 guidelines.
The major new requirements can be summarised as follows:
The CNIL's decision to issues recommendations containing practical examples of what it expects from cookie users is also an innovation that will help them better understanding the CNIL's expectations.
| Question | Answer |
|---|---|
| …I’m only using strictly necessary cookies? | Yes. This only means that you use cookies that do not require the user's prior consent. The rest of the requirements detailed in the CNIL's guidelines continue to apply. The CNIL recommendations are also relevant for these cookies. |
| … I am a public organisation? | Yes. Private organisations and public organisations are subject to the e-Privacy Directive, GDPR and the French Data Protection Act. The CNIL's guidelines and recommendations therefore also apply to public organisations using cookies. |
| … there are no cookies or trackers on my websites? | No. The guidelines and recommendations expressly apply to the use of cookies or trackers. |
| … I only have social media buttons on my website? | Yes. These buttons rely on cookies or other technologies to track the user's activities and must therefore be used in compliance with the guidelines. |
| … I only use an audience measurement tool? | Yes. The CNIL guidelines detail under what conditions audience measurement tools can be excluded from the obligation to obtain the user's prior consent. They also remind that the rest of the GDPR obligations apply, as these tools process personal data. |
| … the cookies on my websites are only advertising cookies which are operated by third parties? | Yes. The CNIL guidelines provide that as a general rule, the website’s editors are the most likely to provide the information to the users since they are in direct contact with them. As the website editor, you have several responsibilities including but not limited to ensuring that a mechanism has been duly implemented on the website to gather the user's consent to cookies, where applicable. |
| … I outsourced the management of the cookies implemented on my website to third parties? | Yes. In principle, as the editor of a website which deposits cookies, you will qualify as the data controller and shall ensure that you process data through cookies in compliance with the guidelines and all applicable regulations. |
| … the trackers I use on my website do not collect personal data? | Yes. The CNIL expressly stated that its guidelines apply to the reading and writing operations – as listed in said guidelines – of any information stored or accessed in terminal equipment, whether or not they are personal data within the meaning of the GDPR. |
There are similarities between the new 2020 CNIL guidelines and the 2019 version it published, but the 2020 version offers useful clarifications and updates on some core concepts.
For instance, regarding the "consent" definition, the CNIL largely updated sections from the 2019 version dedicated to the free and specific consent requirements. The 2020 guidelines also added details on the joint liability of data controllers where several actors are involved in the use of cookies on a website.
Regarding the settings of internet browsers, the CNIL simplified its wording: the guidelines now provide that since, to date, browsers settings are not enable to distinguish the trackers' purposes, it is not possible to rely on them to guarantee the freedom of consent.
The CNIL also provides detailed information on trackers that do not require consent. Previously, the guidelines were only focusing on audience measurement cookies. The 2020 guidelines enlist all the cookies exempted from consent, including audience measurement cookies meeting specific conditions.
Where cookies require the data subject's consent, that consent must comply with Article 82 of the French Data Protection Act and Article 4 of the GDPR. This means that the user must have given their consent to the deposit of cookies under the following conditions:
You should always ensure that the following information is provided to your users before gathering their consent:
In the CNIL's guidelines, the authority no longer states that cookie walls are prohibited: it tempered its position by stating that cookie walls are likely to infringe in some cases the freedom of consent, but that their lawfulness shall be assessed on a case-by-case basis.
The CNIL has contemplated situations where cookie walls might be used and declared that, in such cases, and subject to the lawfulness of this practice which shall be assessed on a case-by-case basis, the users must be clearly informed of the consequences of their choices, and especially of the fact that they will not be able to access the content or service without consent.
To summarise, the CNIL has reframed what it previously said was a prohibition on cookie walls into an extremely light acknowledgement of their potential lawfulness, depending on the circumstances and provided that the conditions of a free consent are met. The CNIL clearly reserves its right to assess each situation separately to check whether the cookie walls used are lawful under French law or not.
In any case, even though cookie walls are not automatically prohibited, we anticipate that their lawfulness will not be easy to demonstrate: especially since in the CNIL recommendations the CNIL provides that consent is valid only if users can freely choose to give or not their consent. This is unlikely to be the case in the context of cookie walls since, by definition, users cannot refuse cookies if they wish to access the concerned website or service.
We will need to wait for the CNIL to issue specific decisions, and potential sanctions, on cookie walls in the future to better understand what practices it considers as lawful or not.
In the meantime, businesses considering using cookie walls in France should proceed with precaution.
| Question | Answer |
|---|---|
| … gather the consent of users through my T&Cs tick box? | No. This is because the consent to cookies would not be specific, and because the consent would not be considered as given freely. See our answer to question 6 for additional details. |
| … consider that by browsing or scrolling my website, users have given their valid consent to cookies? | No. The CNIL specifically provides that browsing or scrolling a website cannot be considered as a clear and positive action qualifying as a valid consent. |
| … refuse to provide access to my website if users refuse the use of cookies? | We believe that, in most cases, this will be unlikely. Indeed, the CNIL considers that "conditioning the provision of a service or access to a website to the acceptance of writing or reading operations on the user's terminal (i.e. 'cookie wall') is likely to breach, in some cases, the freedom of consent". Each situation will be assessed on a case by case basis, but it will be unlikely that the user's consent would be considered as freely given if they are fully denied access to a website. |
| … request the user's consent to cookies each time the user visits my website? | No, except in very specific situations that require to be documented and justified. The CNIL considers that a consent renewal period must be set on a case by case basis, which means that the user's consent must not be requested before the expiry of said renewal period. In this respect, the CNIL considers that a good practice is to remember its user's choices for six months. |
| … rely on the user's navigation settings? | No. The CNIL considers that internet browser settings cannot guarantee that the consent of the user is valid according to the conditions around consent set by the GDPR. However, should technology evolve, this could change. |
| … start setting non-essential cookies on my users' devices before consent is obtained? | No. Cookies that are non-essential – i.e. cookies that are not exempted from the consent requirement – should not be set until consent has been expressly given. |
| ... avoid specifying the purpose/ functionality of the cookies I use? | No. As mentioned earlier, the CNIL considers that in order to be considered as valid consent, internet users must be able to accept or refuse cookies based on their purpose. |
The CNIL considers that consent should come exclusively from a positive act. Therefore, any inaction must be understood as a refusal to use cookies.
The only case where an organisation can set cookies is where the internet users have accepted the deposit of cookies, other than where the cookies concerned are exempted from the prior consent requirement.
As a reminder, cookies exempted from the prior consent requirement are the cookies which:
In order to document your cookie compliance, you must first draft and make easily available to your users a cookie policy that will summarise all the relevant information about your cookies.
In addition, you will need to be able to prove that the users' consent was validly requested and obtained. In this respect, the CNIL's recommendation suggest several solutions. For example, a screenshot of the consent mechanism implemented on the website can be kept and time-stamped for each version of the site.
To comply with the GDPR's accountability principle, you must keep up to date an exhaustive records of your cookie-related activities: this means that you must have regularly updated records, through your data processing registry, of all the cookies you use – both those requiring consent and those that do not – as well as the reasons why you consider that several cookies do not require the user's prior consent.
Breaching the CNIL guidelines could, where the violations can be read across to a breach of provisions under the GDPR, lead to fines of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The CNIL's recommendations are non-binding. However, in practice, the CNIL has a power of sanction and is likely to use its recommendations as a point of reference. Therefore, even if the non-compliance with the recommendations cannot by itself justify a sanction, they could potentially be used to characterise a non-compliance with the applicable regulations.
The CNIL announced that its 2020 guidelines must be complied with at the latest within six months of their publication, i.e. at the latest at the end of March 2021.
However, CNIL said that it will take into consideration the operational difficulties faced by cookie users due to the current pandemic period and that it will give priority to supporting them in their efforts to achieve compliance rather than before pursuing enforcement options. However, this leniency does not apply to the obligations that were already applicable prior to the entry into force of the GDPR and which were detailed in the CNIL’s former 2013 guidance.
The CNIL already announced that its 2021 controls will be carried out according to two phases:
Considering the timeline set by the CNIL, your next steps should be as follows, by priority order:
To meet the CNIL's preferred practices as explained in its recommendations, organisations could implement a consent management platform which pops-up when the user first visits their website.
This consent management platform should list, as a first step, all the purposes of the cookies used, and, as a second step, offer the possibility to get more information on said purposes, for example through a clickable link. Users should be presented with the option to accept or refuse cookies for each purpose.
As a first step, the number of data controllers as well as their role in the processing could be provided and, as a second step, users could be provided with the exhaustive and updated list of the data controllers with their identification and the link to their privacy policy.
The consent mechanism should be set to refusal by default and sliders could be used to help users understanding their choices.
The consent management platform and all the information listed above should also be accessible at any time from the website and easy to find.
The CNIL recommendations provide other options and should be used as a point of reference to define your cookie compliance strategy.
The legal requirements applicable to cookies in France originate from the transposition in France of the e-Privacy Directive of 2002, as amended in 2009. Plans for a new e-Privacy Regulation were published by the European Commission in 2017. The Regulation would update the principles set forth in the Directive, bring e-Privacy framework into line with the changes brought about by the GDPR and reflect the reality of the current use of cookies online.
However, while MEPs in the European Parliament adopted their position on the draft legislation back in 2017, the other EU law making body – the Council of Ministers – has yet to reach consensus internally on the proposed reforms, meaning negotiations on finalising a new Regulation have yet to commence.
Previously, the French Data Protection Act and the CNIL's documentation influenced the drafting of the GDPR, so it is possible that the CNIL's cookies guidelines influence the evolution of the draft e-Privacy Regulation.
Contact an adviser
