On October 1, 2020, the French data protection authority (the CNIL) issued the final version of its guidelines on the use of cookies and other trackers (the Guidelines), replacing a first draft published on July 4, 2019. While the main principles remain unchanged, this version provides further practical guidance for website and mobile application publishers using cookies and trackers. The CNIL indicated that the deadline for compliance with the new rules should not exceed six months, which means that companies have until March 2021 to ensure compliance.

Background

This final iteration of the Guidelines takes into account input received during a public consultation that started on January 14, 2020, and the decision of the French Administrative Supreme Court (Conseil d’État) which partially invalidated the previous version of CNIL’s guidelines. The CNIL has also published non-binding recommendations on how to implement the Guidelines in practice. The Guidelines and the recommendations are applicable to companies using “cookies” or “trackers,” i.e., any identifier generated by a software or operating system (serial number, MAC address, Unique Terminal Identifier (UTI)), or any data set that is used to calculate a unique terminal or device fingerprint. Examples of such identifiers include HTTP cookies, flash cookies, or invisible pixels.

The key takeaways of the Guidelines are:

1. Cookies and trackers do not always require user’s consent.

While opt-in consent remains the rule of thumb for cookies and trackers, the CNIL indicates that some analytics trackers may be exempt from the consent requirement. This is the case if the cookies meet all of the following cumulative conditions:

  • are strictly necessary for the provision of an online communication service expressly requested by the user. For example, a publisher may use a cookie to authenticate users without asking for their consent, to allow them to log in the website. This cookie is strictly necessary for the provision of the online communication service, and is exempt from consent.
  • are strictly and exclusively used for the publisher’s audience measurement or analytics purposes,
  • only result in statistics which are anonymous, and
  • do not track individuals over different applications or websites, and do not permit sharing of data with third parties. This means that audience measurement or analytics providers can service multiple publishers provided that the data remains siloed for each publisher and the trackers cannot be matched across publishers.

In addition to trackers that allow authentication for a service, other examples of trackers that do not require consent include:

  • Trackers used to customer the user interface customization (e.g., for the choice of language), when such customization is an intrinsic and expected element of the service
  • Trackers for storing the contents of a shopping cart
  • Some trackers intended to generate traffic statistics
  • Trackers allowing paid sites to limit free access to a sample of content requested by users.

2. No own use for such data by audience measurement or analytics providers. Some audience measurement suppliers reuse their customers’ data for their own purposes, e.g., to improve their services and products. For the consent exemption to apply, such use should be disabled and contractually prohibited in the publisher agreement.

3. Practical suggestions related to consent

The CNIL further confirms that a user’s browsing of a website does not constitute valid consent under the GDPR, which is in line with the case law of the Court of Justice of the European Union in Planet49 (C-673/17) (also see our article ECJ: Cookies Require Active Opt-In Consent). Best practice examples for the collection of opt-in consent are:

  1. For cookies which track users across multiple websites, consent should, where possible, be collected on each website where tracking takes place. This ensures that the user is fully aware of the consequences of providing consent.
  2. Refusing cookies should be as easy as accepting them. According to the CNIL, an option stating “Refuse all cookies” should be presented to the user in an equally prominent manner as the “Accept all cookies” option. This allows the user to express their cookie preferences in a clear and simple way. If the user refuses the use of cookies, this choice should be respected for a certain period of time, without repeating the request, just like consent only needs to be refreshed periodically. The period between refreshing such refusal/consent should be assessed on a case-by-case basis, but the CNIL considers six months to be good practice.
  3. Consent preference dashboard should be easily accessible and clearly in sight and the CNIL recommends that these be designed in such a way that it is abundantly clear when consent is withdrawn, e.g., through the use of toggles.
  4. Cookies should be retained for an appropriate period of time. Where cookies or similar tracking technologies are exempt from the consent requirement (as set out above), the CNIL recommends that they should only be stored for the period required to analyze a publisher’s audience, for example, 13 months. The maximum retention period should be 25 months. Also, these retention periods should be periodically reviewed to ensure that they are limited to the strict minimum necessary.

4. Cookie walls are authorized, under conditions. Aligning its position with a recent decision from the French Administrative Supreme Court, the CNIL does not exclude the lawfulness of a “cookie wall”. A “cookie wall” is a mechanism which prevents an individual from accessing a website or mobile application unless he or she gives his or her consent to tracking. Interestingly, this position goes against the European Data Protection Board’s view that cookie walls do not constitute a lawful way to obtain consent. However, the CNIL does specify that the validity of “cookie walls” must be assessed on a case-by-case basis.

Conclusion

The updated guidance will not only have far-reaching implications for social media platforms, advertisers, and ad tech companies using cookies, but also for all websites or mobile applications which use other types of trackers. In particular, the players that are in direct contact with individuals will be the entities responsible for providing notice and obtaining consent before dropping the tracker.