The e-Privacy directive generally requires website publishers and third parties who collect data via cookies to obtain users’ prior consent. In 2013, the CNIL issued guidance on how companies may obtain such consent. However, the General Data Protection Regulation (GDPR), which became effective in 2018, imposes stricter conditions for obtaining valid consent. The European Data Protection Board (EDPB) has provided further clarification of the consent requirements. The CNIL has now updated its 2013 cookie guidance to bring it in line with the new consent requirements of the GDPR and the guidelines of the EDPB.
The new CNIL guidance applies to the storing of “information” (not only personal data), and the access to information already stored, on any device connected to a public telecommunications network, including computers, smartphones, tablets, consoles, connected TVs, connected vehicles, voice assistants, etc. In other words, it applies to all types of tracking technology installed on users’ hardware, regardless whether they collect personal data or not.
Conditions for Valid Opt-In Consent
According to the CNIL, where opt-in consent is required, consent is only valid if it is:
- Specific. Individuals must be able to provide consent independently and specifically for each data processing. According to the CNIL, providing consent for different cookies with the same click is acceptable, but only if the cookies serve the same purpose. Consent for cookies cannot be obtained by asking the user to accept general terms and conditions, as this would not allow them to make a separate decision for each specific purpose.
- Informed. The CNIL specifies the elements of the notice to be provided to individuals before they consent to the installment of cookies: i) the identity of each data controller, including, in case of multiple controllers, an exhaustive and regularly updated list of all controllers, ii) purposes of the processing, and iii) existence of the right to withdraw consent. The CNIL, pointing to the EDPB guidance, further states that, if cookies (or other tracking technologies) collect personal data, additional notice must be provided including, for example, information on the types of personal data collected and any automated decision-making. In addition, the CNIL encourages the use of clear language (i.e., no legalese or complex technical terminology) and emphasizes the fact that the notice must be clearly visible (e.g., not hidden in terms and conditions).
- Unambiguous. Consent must be obtained via a clear and affirmative action by the user. Under the CNIL’s guidance—and this goes beyond its 2013 guidance—scrolling down or swiping through a website is not sufficient to obtain valid consent. Similarly, pre-ticked checkboxes and bundled consent to general terms and conditions do not constitute unambiguous consent.
- Recorded. Companies must be able to demonstrate that they have obtained consent by keeping consent logs. On this point, the CNIL restates its conclusions from the Vectaury decision: it is not sufficient to contractually require another party to obtain consent to prove that such consent has been obtained.
- Easy to withdraw. The CNIL requires companies to implement measures allowing users to withdraw consent, at any time and as easily as they have provided it.
- Prior. No cookies subject to the opt-in consent requirement can be deployed before the user provides consent.
Importantly, the CNIL concludes that browser settings are not sufficient to comply with the above requirements. According to the CNIL, browser settings do not provide sufficient notice to individuals, nor do they provide the required separate options for different types of cookies depending on their purpose. In addition, browser settings only control cookies and not other tracking technologies (e.g., device fingerprinting). The ICO similarly concludes that browser settings are not sufficient to evidence consent. However, both the CNIL and the ICO indicate that this may change as the technology develops.
Specific Cases Where Opt-Out Consent Is Enough
The CNIL’s guidance states that “audience measurement” cookies which comply with all the conditions listed below can be deployed without the user’s prior opt-in consent.
- First-party cookies. The audience measurement cookies are deployed by the website publisher or its processor (i.e., not by a third party controller).
- Notice. Users are informed of the processing before the installment of cookies.
- Location. Location derived from the user’s IP address is not more precise than the indication of the city and the IP address itself is deleted or anonymized right after the location is determined.
- Retention. The cookies’ life expectancy is set at 13 months maximum starting from the first visit, and information collected via the cookies is not retained beyond 25 months.
The ICO guidance provides no such exception, but suggests that the use of first party analytics cookies will not be an enforcement priority.
Cookies Exempted from the Consent Requirement
In its 2019-2020 action plan, the CNIL announced that it will provide a 12-month grace period for companies to adjust to new rules which deviate from its 2013 guidance and which are not required by the GDPR. For example, scrolling down or swiping through a website is no longer considered valid consent under the new guidance, but the CNIL will continue to accept this practice for another 12 months. However, the CNIL stressed that any requirements that appeared in its 2013 guidance do not benefit from the grace period and are already enforceable today. The CNIL previously announced that it will consult with adtech stakeholders (publishers, advertisers, ad networks, etc.) during the second half of 2019 and issue new sector-specific guidance on how to obtain consent by the end of 2019 or early 2020.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues in Europe and beyond, and will monitor closely developments related to adtech in Europe. For more information, please contact Cédric Burton, Jan Dhont, Laura de Boel, Lore Leitner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, or another member of the firm’s privacy and cybersecurity practice.
Rossana Fol and Josephine Jay contributed to the preparation of this WSGR post.
 Available at https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=4934C45B17AFEF3EE2DAD79235581661.tplgfr21s_1?cidTexte=JORFTEXT000038778053&dateTexte=&oldAction=rechJO&categorieLien=id&idJO=JORFCONT000038777171.
 See WSGR Data Advisor Blog Post available at https://www.wsgrdataadvisor.com/2019/07/cnil-ad-targeting/.
 CNIL’s decision n°MED-2018-042, available at https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2.