On October 13, 2021, the French data protection authority (the CNIL) issued a short note (the “Note,” in French) on technologies such as fingerprinting, unique identifiers, and cohort-targeting, developed to replace traditional third-party cookies.

While the CNIL acknowledges that some of these technologies are less privacy invasive than third-party cookies, it stresses that the consent and transparency requirements also apply to these technologies.

Background

Third-party cookies are widely used tools allowing businesses to collect or deduce information about individuals when they browse on different website(s). The information collected can then be used to create a profile enabling companies, online platforms, or ad providers to serve content and advertisements tailored to the user’s interests. In recent years, web browsers have been developing alternatives to third-party cookies.

Alternatives to Third-Party Cookies Require Consent

The CNIL notes that alternatives to third-party cookies—such as an advertising identifier, cohort identifier, or browser setting data—operate in much the same way that cookies do: they all rely on access to the user’s terminal equipment (e.g., phone, desktop computer, or laptop) to access information already stored in such equipment or to store information on the equipment.

The CNIL stated that the operations necessary to build profiles for advertising require the user’s prior consent to the extent that such processing activities are not part of the service requested by the user.[1] This requirement is similar to the cookies requirements. In addition, prior opt-in consent is required whether or not the data collected from the user’s terminal equipment is personal data or not. The bottom line: the CNIL confirms the application of its cookies guidance published last year to these technologies (see CNIL Issues Updated Cookie Guidance).

Users must therefore be able to choose in a free and informed manner 1) to accept tracking purposes that go beyond what is strictly necessary for the provision of the requested service (for example to tailor content or advertisements); or 2) to refuse such tracking. Companies should record and document users’ choices with respect to these technologies.

Companies Should Assess All Tracking Technologies, Not Only Cookies

The CNIL highlights that companies should review the use of all tracking technologies, including alternatives to third-party cookies, when assessing compliance with the cookies requirements. This means, for example, that companies using alternatives to third-party cookies should integrate clear and transparent information about these technologies in their privacy notices, and should implement user-friendly interfaces to allow users to easily express their choices and exercise their rights with respect to these technologies.

Conclusion

By issuing the Note, the CNIL intends to further clarify the rules applicable to technological alternatives to third-party cookies. According to the CNIL, all technologies used to track users online should comply with the cookies requirements. Website publishers, advertisers, and all companies operating in the ad tech space should consider assessing their compliance with this recent Note.

[1] Article 5(3) Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) and Article 82 of the French Data Protection Act.