On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.
When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.
The CNIL’s action plan addresses three key issues, which are outlined below:
- Online marketing: the adjustment period is over. In December 2018, the CNIL updated its guidance on when and how to obtain valid consent for online marketing to align it with the GDPR and the consent guidelines. According to the revised guidance, companies sharing personal data with business partners or data brokers need to obtain the individual’s prior consent and let individuals know which partners will receive their data. The CNIL previously provided companies with a six-month transition period to update their practices, but this period is now over.
- Cookies: 12 months to adjust to the new rules. Under the CNIL’s 2013 cookie guidance, scrolling down or swiping through a website was considered to be valid consent. However, the EDPB explicitly excluded this option in its 2018 consent guidelines. Consequently, the CNIL announced that it would update its cookie guidance to require clear and affirmative action. The CNIL will give a 12-month grace period to companies. Setting the example, the CNIL, like the UK Information Commissioner’s Office (ICO) a few days earlier, deleted its cookie banner, and chose “not to deposit any tracking device until the user has actively consented, by going on the cookie management module or directly on content pages.”2
- Practical tips on obtaining consent: new guidance after stakeholder consultation. The CNIL announced that it will consult with adtech stakeholders (publishers, advertisers, ad networks, etc.) during the second half of 2019 and issue new guidance on how to obtain consent by the end of 2019 or early 2020. The new guidance will be subject to a public consultation and companies will have six months following the adoption of the guidance to comply.
Along with other regulators across the EU, the CNIL is reviewing its existing guidance to bring it in line with the GDPR and the EDPB guidelines. The CNIL is being relatively flexible by giving companies time to adjust—in comparison, the ICO, who also recently updated its cookie guidance, does not provide for a transition period. However, by setting transition periods, the CNIL is also setting an agenda for potential enforcement actions. It is expected that by 2020, the CNIL will actively investigate adtech companies’ privacy practices.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues in Europe and beyond, and will monitor closely developments related to adtech in Europe. For more information, please contact Cédric Burton, Jan Dhont, Laura de Boel, Lore Leitner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, or another member of the firm’s privacy and cybersecurity practice.
Rossana Fol and Josephine Jay contributed to the preparation of this WSGR post.
Alexandre Lépine, a WSGR litigation intern, also contributed to this article.
1Available at https://www.cnil.fr/en/online-targeted-advertisement-what-action-plan-cnil.