Out-Law News | 29 Jul 2019 | 3:56 pm | 1 min. read
Website operators cannot cut consumers off from their services when those consumers do not consent to the use of 'cookies', France's data protection authority has said.
CNIL confirmed its position in new cookies guidance it has published. It said website operators must "leave the possibility to users to access the service even in case of refusal to consent".
EU rules set out in the Privacy and Electronic Communications (e-Privacy) Directive state that storing and accessing information on users' computers is, generally, only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".
An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user.
CNIL's new guidance also addresses the question of identifying the data controller or controllers when several entities are involved in the deposit and reading of the cookies’ data, and the CNIL has further confirmed that internet users that navigate beyond the homepage cannot be considered to have provided their consent to the place of cookies on their devices, Paris-based data privacy expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law, said.
According to CNIL, it will issue a more detailed recommendation on how the new consent rules work in practice for cookies in the first quarter of 2020. A draft recommendation will be published following a six month consultation exercise, and a final recommendation issued following a further six week consultation, it said.
Businesses will have six months from the date on which the final recommendation is issued to adapt their practices to comply with the new requirements, CNIL said. The regulator confirmed, though, that it could still raise enforcement against businesses during the six month transition period in relation to aspects of the cookies regime which have not been modified by the new consent rules.
The UK's Information Commissioner's Office (ICO) also recently updated its own guidance on cookies. Both the ICO and CNIL chose to issue refreshed guidance despite the prospect of reforms to the EU e-Privacy rules.
18 Jul 2019