1. Help Center
  2. Legal Requirements

Everything you need to know about the new CNIL recommendations' draft (January 2020)

📅 On July 4th, 2019, the French Data Protection Authority published new guidelines about cookies and other trackers to replace its previous recommendations of 2013 that have become obsolete with GDPR. 

From September 2019 to January 2020, a period of consultation with professionals in the sector was conducted to gather opinions on the different questions at stake and better understand the market issues.

This is why, on January 14th, 2020, the CNIL launched a public consultation on its draft recommendations "Cookies and other trackers" that details the practical methods for consent collection according to its directive of July 2019.

This consultation will end on February 25th and the final recommendations will be voted. However, the CNIL will allow a transition period that will end in September 2020 for companies to enforce the new recommendations.

What are the key points of those recommendations and what are the consequences for your Consent Management Platform configuration?

🔎 Didomi is building all the options to comply with the new requirements from the CNIL and will make them available in the Didomi Console. You will need to enable these new features if you want to use them. We recommend that all French publishers or publishers with traffic from France activate those options.

Here are several elements that you will need to implement to obtain valid consent according to the French DPA.

✅ Informed consent

It is still possible to collect consent globally at the first layer of information. The purposes must be clear, comprehensive and it must be possible to accept globally but also to globally refuse all the cookies.

A link presenting the detailed purposes must be proposed to the user, it can allow the information to be displayed directly on the first page or refer to the second level of information.
Users must also be informed of which data controllers process their data from the first level of information. A link to this list which is easily accessible by users is recommended. Besides, it is not necessary to ask again for consent each time a new partner is added, except in the case of a substantial "qualitative or quantitative" addition. On the other hand, a link must be available to users so that they can keep themselves informed about the partners' updates. This link can be included in the module which allows to re-display the consent collection banner. The CNIL proposes to change the color of the link leading to partners to warn users of a change in the list.

If a collection of consent is shared between domains or apps, users must be informed, from the first layer of information, of the other websites and applications on which his consent is collected.

✅ Free consent

For the consent to be free, the "I accept all" button present at the first layer of information must come with a "I refuse all" button. The buttons must have the same visual appearance and the same size in order not to influence the choice of the user. The presence of a simple "Learn more" link next to the "I accept all" button is not sufficient. It must be as easy to accept as to refuse.
The user must not be penalized and suffer prejudice if he refuses the trackers. The refusal must be registered for the same period as if he had accepted in order not to represent the banner too frequently and therefore not to influence its choices.
It also remains possible not to choose immediately, for example by adding a cross or a button "Set my cookies later".

No cookie should be placed until the user has clicked on "I accept" or has configured his choices. Users can be asked for consent until they have made a choice.

✅ Specific consent

All purposes must be presented in details (via a link or drop-down text below the purpose for example).
Specific consent by purpose must be possible and can be offered as within a second layer of information. The text leading to the second view should be clear. Therefore, we recommend "Learn more about cookies" or "Configure my cookies".

✅ Unambiguous consent

The accept and refuse buttons must have a similar or even identical design and no visual should influence the visitor's choice.

✅ Withdrawal and duration of the consent

Users must be informed on the first page of the possibility of withdrawing their choices at any time. The link that allows them to change their choices must be accessible on all pages in a visible place and throughout the navigation duration. The text referring to the consent collection banner must be clear and intuitive, such as "Manage my cookies" or "Cookie preferences".
Users should also be informed about the lifetime of cookies.
Concerning the duration of the consent, the CNIL leaves 6 months after which it would be necessary to request consent again from the user.

✅ Proof of consent

It is necessary to be able to provide proof of the user's consent. The data must be precise and must indicate the date, time, version of the banner used and the sites/applications on which consent has been given.
However, only the necessary information has to be collected after consent. The CNIL suggests that a cookie should be created and associated for each specific purpose. 

To summarize, here is what you must display in the first layer of information:

  • The list of detailed purposes.
  • The list of data controllers who process the data collected.
  • The list of sites/applications for which consent is collected.
  • The ability of withdrawal at any time.
  • If consent is requested globally, an "I accept all" button and an "I refuse all" button.
  • The lifetime of cookies and possibly the categories of data collected are considered as "best practices.