On July 18, 2019, the French Data Protection Authority (CNIL) issued new guidance on the use of cookies and similar tracking technologies (collectively referred to as “cookies” below).[1] The guidance clarifies the instances in which companies must obtain consent for the use of cookies and specifies the requirements for obtaining consent.

Background

The e-Privacy directive generally requires website publishers and third parties who collect data via cookies to obtain users’ prior consent. In 2013, the CNIL issued guidance on how companies may obtain such consent. However, the General Data Protection Regulation (GDPR), which became effective in 2018, imposes stricter conditions for obtaining valid consent. The European Data Protection Board (EDPB) has provided further clarification of the consent requirements. The CNIL has now updated its 2013 cookie guidance to bring it in line with the new consent requirements of the GDPR and the guidelines of the EDPB.[2]

The new CNIL guidance applies to the storing of “information” (not only personal data), and the access to information already stored, on any device connected to a public telecommunications network, including computers, smartphones, tablets, consoles, connected TVs, connected vehicles, voice assistants, etc. In other words, it applies to all types of tracking technology installed on users’ hardware, regardless whether they collect personal data or not.

Conditions for Valid Opt-In Consent

According to the CNIL, where opt-in consent is required, consent is only valid if it is:

  1. Freely given. Consent is not freely given if the individual is unable to refuse or withdraw consent without suffering a significant disadvantage. The CNIL states that blocking access to a website unless the user provides consent to the use of cookies—so-called cookie walls—meets the significant disadvantage standard and is therefore not compliant with the GDPR. Interestingly, the UK Data Protection Authority (ICO) in its cookie guidance of July 5, 2019 takes a different view, allowing cookie walls to be used in limited circumstances.[3]
  2. Specific. Individuals must be able to provide consent independently and specifically for each data processing. According to the CNIL, providing consent for different cookies with the same click is acceptable, but only if the cookies serve the same purpose. Consent for cookies cannot be obtained by asking the user to accept general terms and conditions, as this would not allow them to make a separate decision for each specific purpose.
  3. Informed. The CNIL specifies the elements of the notice to be provided to individuals before they consent to the installment of cookies: i) the identity of each data controller, including, in case of multiple controllers, an exhaustive and regularly updated list of all controllers, ii) purposes of the processing, and iii) existence of the right to withdraw consent. The CNIL, pointing to the EDPB guidance, further states that, if cookies (or other tracking technologies) collect personal data, additional notice must be provided including, for example, information on the types of personal data collected and any automated decision-making. In addition, the CNIL encourages the use of clear language (i.e., no legalese or complex technical terminology) and emphasizes the fact that the notice must be clearly visible (e.g., not hidden in terms and conditions).
  4. Unambiguous. Consent must be obtained via a clear and affirmative action by the user. Under the CNIL’s guidance—and this goes beyond its 2013 guidance—scrolling down or swiping through a website is not sufficient to obtain valid consent. Similarly, pre-ticked checkboxes and bundled consent to general terms and conditions do not constitute unambiguous consent.
  5. Recorded. Companies must be able to demonstrate that they have obtained consent by keeping consent logs. On this point, the CNIL restates its conclusions from the Vectaury decision:[4] it is not sufficient to contractually require another party to obtain consent to prove that such consent has been obtained.
  6. Easy to withdraw. The CNIL requires companies to implement measures allowing users to withdraw consent, at any time and as easily as they have provided it.
  7. Prior. No cookies subject to the opt-in consent requirement can be deployed before the user provides consent.

Importantly, the CNIL concludes that browser settings are not sufficient to comply with the above requirements. According to the CNIL, browser settings do not provide sufficient notice to individuals, nor do they provide the required separate options for different types of cookies depending on their purpose. In addition, browser settings only control cookies and not other tracking technologies (e.g., device fingerprinting). The ICO similarly concludes that browser settings are not sufficient to evidence consent. However, both the CNIL and the ICO indicate that this may change as the technology develops.

Specific Cases Where Opt-Out Consent Is Enough

The CNIL’s guidance states that “audience measurement” cookies which comply with all the conditions listed below can be deployed without the user’s prior opt-in consent.

  1. First-party cookies. The audience measurement cookies are deployed by the website publisher or its processor (i.e., not by a third party controller).
  2. Notice. Users are informed of the processing before the installment of cookies.
  3. Opt-out. Users can easily opt out of the use of cookies on each device, operating system, app, or browser.
  4. Purpose. The purpose of the processing is limited to: i) measurement of the audience to assess the value of the content displayed and the ergonomics of the website or app, ii) segmentation of the website audience to evaluate the efficiency of the editorial choices, provided this does not result in the targeting of a specific individual, iii) dynamic modification of the website as a whole. Personal data is not merged with other datasets, nor shared with third parties. The use of cookies is only intended to create anonymous statistics and does not allow tracking a user across different websites or apps.
  5. Location. Location derived from the user’s IP address is not more precise than the indication of the city and the IP address itself is deleted or anonymized right after the location is determined.
  6. Retention. The cookies’ life expectancy is set at 13 months maximum starting from the first visit, and information collected via the cookies is not retained beyond 25 months.

The ICO guidance provides no such exception, but suggests that the use of first party analytics cookies will not be an enforcement priority.

Cookies Exempted from the Consent Requirement

The CNIL notes that the e-Privacy directive exempts two types of cookies from the consent requirement, whether opt-in or opt-out: i) cookies used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, and ii) cookies strictly necessary to provide a service explicitly requested by the user. However, the CNIL states that even if companies can deploy such functional cookies without the need for consent, they must at least inform users of their use (e.g., via a privacy policy).

Next Steps

In its 2019-2020 action plan, the CNIL announced that it will provide a 12-month grace period for companies to adjust to new rules which deviate from its 2013 guidance and which are not required by the GDPR.[5] For example, scrolling down or swiping through a website is no longer considered valid consent under the new guidance, but the CNIL will continue to accept this practice for another 12 months. However, the CNIL stressed that any requirements that appeared in its 2013 guidance do not benefit from the grace period and are already enforceable today. The CNIL previously announced that it will consult with adtech stakeholders (publishers, advertisers, ad networks, etc.) during the second half of 2019 and issue new sector-specific guidance on how to obtain consent by the end of 2019 or early 2020.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues in Europe and beyond, and will monitor closely developments related to adtech in Europe. For more information, please contact Cédric Burton, Jan Dhont, Laura de Boel, Lore Leitner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, or another member of the firm’s privacy and cybersecurity practice.

Rossana Fol and Josephine Jay contributed to the preparation of this WSGR post.

[1] Available at https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=4934C45B17AFEF3EE2DAD79235581661.tplgfr21s_1?cidTexte=JORFTEXT000038778053&dateTexte=&oldAction=rechJO&categorieLien=id&idJO=JORFCONT000038777171.

[2] See WSGR Data Advisor Blog Post available at https://www.wsgrdataadvisor.com/2019/07/cnil-ad-targeting/.

[3] Available at https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/.

[4] CNIL’s decision n°MED-2018-042, available at https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2.

[5] Available at https://www.cnil.fr/en/online-targeted-advertisement-what-action-plan-cnil.