The CNIL’s new Guidelines and Recommendations on cookies and other trackers

With the deliberations of 17 September 2020, the CNIL adopted new guidelines on cookies and other trackers, which it complemented with recommendations to facilitate their implementation, in particular for configurations specific to web environments and mobile applications. These recommendations are neither prescriptive nor exhaustive and are intended solely to help the professionals concerned in their efforts to achieve compliance. The new guidelines replace those the Conseil d'Etat had deemed partially invalid in a decision of 20 June 2020, due to the general and absolute ban on cookie walls they contained(for more information on this subject we refer you to our blog post on this subject).

Scope of the guidelines

The CNIL guidelines are applicable to any operation aimed at accessing information stored in the user's terminal equipment, or at writing information on this equipment. This definition is deliberately broad and aims to encompass a maximum number of devices without prejudice to their operating system or the application software used. The CNIL particularly insists on the applicability of these guidelines to HTTP cookies, but also to other technologies such as "local shared objects" (Flash cookies), the "local storage" of the HTML5 standard, identification by terminal fingerprinting, identifiers generated by operating systems (whether or not they are advertising: IDFA, IDFV, Android ID, etc.), hardware identifiers (MAC address, serial number or any other device identifier), etc. 

Furthermore, these guidelines apply to the processing of data, whether personal within the meaning of the GDPR or not. "The provisions of Article 5(3) of the ePrivacy Directive, and thus of the provisions of the French Data Protection Act which transpose them, are indeed applicable to such operations regardless of whether the data concerned are personal or not".

Consent

In the context of these guidelines, consent must be understood as defined in the GDPR, i.e.: " any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, " agrees to the processing of data relating to him or her. The CNIL also indicates in its recommendations that the absence of consent by the user must be understood as a refusal and, therefore, that no information reading or writing operation can take place. Finally, the CNIL recommends that the possibility for the user/subscriber to withdraw consent must be available at all times and easily identifiable. The CNIL suggests a specific link to a dedicated page that is easily identifiable and permanently available on the home page of the site or application. 

Free 

The CNIL points out that making the provision of a service or access to a website subject to the acceptance of cookies and other trackers is likely to infringe, in certain cases, the freedom of consent. With regard to cookie walls, the CNIL now simply indicates that a case-by-case assessment is necessary, and that the information provided to the user on the consequences of acceptance or refusal must be clear. 

Similarly, the CNIL considers that the practice of simultaneously collecting consent for various processing operations with distinct purposes (purposes coupling) is also likely to affect the validity of consent. This is why it recommends collecting consent separately for each purpose. It is of course possible to collect consent globally, but only if all purposes are clearly explained beforehand. The CNIL specifies that information on the purposes of trackers must "be formulated in an intelligible manner, in appropriate language and sufficiently clear to enable users to understand precisely what they are consenting to". It is recommended that "each purpose should be highlighted in a short and prominent title, accompanied by a brief description", such as "Personalised advertising : [name of site/application] [and third party companies/our partners] uses/use trackers to display advertising that is customized to your browsing and profile" if the tracker(s) is/are used to display customized advertising. This brief explanation should be supplemented for more detailed explanations, available upon request by clicking on a dedicated link (e.g. "learn more" or "view more information").

Specific and enlightened 

The CNIL repeats that consent for the use of cookies and trackers can only be collected specifically and not through the overall acceptance of conditions of use.

The information must be provided in simple terms that can be understood by all; therefore any legal terminology should be avoided. The CNIL also recommends that the trackers used should be explicitly named. In addition, the information must be easily accessible. The CNIL recommends the use of a uniform vocabulary as well as the development and use of interfaces with a standardised design that work in the same way. Providing similar tools from one platform to another to manage choices would make it easier for users to properly grasp the information . In general, the interface design should support the user as much as possible, so that he/she understands the information and adapts his/her choices accordingly. On this subject, the CNIL's digital innovation laboratory (LINC) published in 2019 its 6th Innovation and Prospective Paper, La Forme des choix - Données personnelles, design et frictions désirables: une exploration des enjeux du design dans la conception des services numériques, au prisme de la protection des données et des libertés (The Shape of Choices - Personal Data, Design and Desirable Frictions: an exploration of design issues in the design of digital services, through the prism of data protection and freedoms).

Unambiguous

Consent must take the form of a positive action by the user, and therefore the fact of continuing browsing or scrolling through a page does not constitute acceptance of cookies, despite any indication to the contrary. In fact, suitable systems must be put in place to support the expression of the user's choice, such as tick boxes or sliders with clear information. Furthermore, if cookies and other trackers are used on several websites, it is recommended that the user's consent be obtained on each of these websites.

Proof of consent

It is up to the website publisher, as the controller, to demonstrate consent. The CNIL even recommends keeping proof of choice: consent or refusal, for a period of six months (a duration must be modulated appropriately to the nature of the site and the specificities of the audience). It is recommended to keep the proof of refusal, so as to avoid repetitive requests for consent, which could affect the free nature of the consent, as the user may finally consent so that the question is no longer asked. However, the CNIL stresses that if a process is necessary to refuse, it must be as simple as for consent. The option to refuse must be as visible as that of acceptance and on the same window. The design used on the interface must not favour one option over the other. 

Furthermore, it is recommended that the process of obtaining consent be renewed regularly to compensate for any memory lapse on the part of the data subjects.

Qualification of the actors

The use of trackers does not necessarily involve the processing of personal data, although this is often the case. If the use involves a single entity, the website publisher, then the latter is fully responsible. On the other hand, if the trackers are linked to several entities, then each one must determine its status (controller or processor) with regard to the processing in question. 

In any event, the CNIL reminds you that the publisher of a website must be considered as a data controller and is in the best position to provide the necessary information to the user and to collect his consent, including when he subcontracts to third parties the management of these trackers set up on his own behalf. Moreover, third parties who use trackers on a service provided by another organisation must also be considered responsible. It is therefore up to the site publisher to ensure that the rules are complied with and that there is a mechanism for obtaining consent, and to take any useful steps with third parties to put an end to any breach. In such a situation, the mere presence of contractual commitments is not sufficient to demonstrate compliance with the rules. Proof of the existence and validity of consent also rests on it and must be provided.

Data subjects must be informed of the identity of all data controllers. The CNIL recommends that this information be provided at successive levels, the identity, purposes, and categories of data processed.

Trackers exempt from consent

Trackers which exclusive purpose is to enable or facilitate communication by electronic means or which are necessary for the provision of the service expressly requested by the user are exempt from the obligation to obtain consent. However, users must be informed of the installation of trackers on the terminals used.  This exemption applies in particular to trackers which retain the choice expressed by users on the tracker installation, trackers intended for authentication with a service, or trackers for customising the user interface.

If one of these trackers is also used for other purposes, then it is outside the scope of the exemption, and the consent of the user must be sought. For example, a tracer necessary for user authentication could be used for advertising purposes.

The audience measurement trackers

With regard to audience measurement trackers, the CNIL notes that the use of frequentation and/or performance statistics is almost systematically required for the management of a website or application. They may even be necessary for the proper functioning of the website and the provision of the service. In such circumstances, it is not necessary to ask for the user's consent, even if the user must be duly informed of the presence of these trackers. However, they must be strictly limited to the size of the audience and cannot be used to monitor the person concerned. Similarly, the CNIL stresses that "these trackers must only be used to produce anonymous statistical data, and the personal data collected cannot be cross-checked with other processing operations or transmitted to third parties, nor are these operations necessary for the operation of the service". The CNIL also recommends that these trackers should have a limited lifespan relevant to the management of the site but not exceeding thirteen months, and that the information collected should not be kept beyond a period of twenty-five months.

Short anthology of recommendations :

1. The CNIL suggests a specific link to a dedicated page that is easily identifiable and permanently present on the home page of the website or application to manage cookie choices, and the possibility for the user to withdraw consent.
2. The CNIL considers that the validity of cookie walls must be assessed on a case-by-case basis. 
3. It is recommended to use different cookies for each distinct purpose, thus enabling users to distinguish them and ensure that their consent is respected, but also to make reading or writing operations more transparent.
4. In the case of different processing operations, consent for each purpose must be collected separately.
5. Global consent is only possible if all necessary information has been provided to the data subject in advance.
6. The names of the trackers used should be explicit and, if possible, standardised regardless of the actor implementing them.
7. Continuing to browse or scrolling a page does not constitute acceptance of cookies and other trackers, positive action is required for consent to be valid.
8. If cookies and other trackers are used on more than one site, the user's consent be obtained on each of these sites.
9. The CNIL recommends keeping proof of choice: consent or refusal, for six months (a duration must be modulated appropriately to the nature of the site and the specificities of the audience).
10. The reject option should be as visible as the accept option and on the same screen. The design used on the interface must not favour one option over the other.
11. It is not necessary to request the user's consent for cookies and audience or performance trackers if they are necessary for the proper functioning of the site and the provision of the service.