📆 On June 28 2019, the French data protection authority announced its plan of action for the year 2019/2020 and decided to better control online advertising targeting.
📆 In this context, the CNIL adopted, on July 4 2019, new guidelines on cookies and other trackers and withdrew its 2013 recommendation which was no longer compliant with the GDPR. Indeed, the guidelines of the European Data Protection Board (EDPB) on consent have strengthened the conditions of valid consent and have therefore rendered obsolete the previous CNIL recommendations on the subject.
📕 The CNIL has decided to concede a transitional period of twelve months to operators after the publication of its new guidelines to become compliant, but only for the points diverging from the previous 2013 directives. At the same time, consultations with professionals are scheduled from September 2019 to January 2020 in order to publish in early 2020 a final recommendation proposing the operational modalities for the collection of consent. Operators will have 6 months to comply after this publication.
What are the different points contained in the new CNIL guidelines?
The deliberation of July 4 2019 includes a total of 7 articles.
- Article 1: this article begins by clarifying the scope of the guidelines. It applies to "all operations intended to access, by electronic transmission, information already stored in the subscriber's or user's terminal or to enter information in that equipment".
This includes all trackers that are deposited on mobile, tablet, computer, television or video game console and more generally on any device connected to a telecommunications network open to the public.
Besides, the CNIL reminds that this regulation applies to all data including data that are not personal data. It is, therefore, necessary to obtain the consent for the tracker deposit, even if the information collected is not personal data! Also, all personal data processing on these trackers is subject to the GDPR.
- Article 2: the CNIL states in which the cases the collection of consent is considered valid.
As a first step, it asserts that consent is valid only if the user does not suffer major inconveniences in case of refusal or withdrawal of consent. It reminds us that it is not GDPR-compliant to block access to the site if the user refuses to give consent.
⚠️ So what about the legality cookie walls?
There is a legal uncertainty for now: legality case-by-base. In case of complaint from users, the CNIL* can investigate and invalidate them if needed.
Consent must, of course, be specific for each different purpose and these must be simple and understandable. It is still acceptable to let the possibility to the user to globally accept all the purposes while allowing him to make a specific choice (a button “accept all” must be accompanied by a link allowing the user to make a granular choice). As such, acceptance of the terms and conditions is not considered a valid consent for the deposit of cookies.
Before the collection of consent, the identity of the controller, the purposes (texts containing all the purposes), the partners present on the site (link on the first page to view the partners), and the existence of the right to withdraw consent must be clearly visible.
The CNIL considers that continuing to browse the website/application or scrolling through the page of a site or application are not clear positive actions and, therefore, do not constitute valid consent. It is therefore clear that the scroll or the navigation’s click is no longer tolerated by the French data protection authority!
Publishers must also be able to prove at any time the existence of valid consent. When publishers use a subcontractor for this, a simple clause is not enough to fulfill this obligation!
- Article 3: the CNIL specifies that the actors depositing trackers/cookies on the website of a publisher and processing data on their behalf may be data controller.
- Article 4: the browser's setting is not sufficient and does not allow the user to give valid consent.
- Article 5: some trackers like audience measurement or optimization can be regarded as essential cookies and thus can be exempted of consent only under certain strict conditions only.
- Article 6: trackers that are strictly necessary for the provision of the service at the request of the user and those for providing or facilitating communication do not need consent.
- Article 7: this article overturns the old directive of the CNIL of 2013.
✍️ The important point to remember from this new recommendation is that it is no longer acceptable to collect consent through continuing to browse the website and that each publisher must be able to prove at any time that he obtained the consent in question respecting the legal requirements.
Moreover, even if the CNIL gives publishers a transitional period to comply with these new requirements, it will check that no cookies are dropping before user consent.