Following the hundreds of million fines imposed Amazon, Google and Facebook by the CNIL and other authorities relating to their use of cookies, this article aims to review the CNIL’s practical recommendations in this area so that to help organisations to understand the requirements in France and to some degree, to the rest of the European Union.
The CNIL reminds in its recommendations that it constitutes only examples which are neither prescriptive nor exhaustive and that although they are focused on the web and mobile environment, they can also be applied to other environments (connected TV etc.).
The deadline for compliance with the recommendation was 6 months from September 2020. Therefore, Since March 2021 the CNIL has begun to audit and sanctions organisations to ensure the enforcement of its recommendations.
(last update of the article: 13/09/2022)
1. Overview
In summary, the CNIL would like to see the information notice provided and consent on the use of cookies collected in the following way:
1.1 Content of the information notice
– Indication of the purposes of the cookies must be given before the consent/refusal options in an intelligible and clear manner;
– Each purpose should be indicated by a short title, followed by a brief description;
– A more detailed description of the purposes should be accessible from the consent interface (drop-down button, hyperlink);
– The exhaustive and updated list of data controllers must be made available to the user at the time of consent (e.g. hypertext link, drop-down banner accessible from the consent interface);
– The CNIL also recommends indicating the categories of data collected by purpose if possible;
– Information relating to cookies exempted from consent should also be provided.
Although the CNIL does not expressly request it, as soon as cookies collect personal data, the other information obligations provided for in Articles 13 and 14 GPR are supposed to apply as well. The data retention and cookie activities, sharing etc. must therefore be indicated.
1.2 Consent mechanism
– Consent should be obtained via a checkbox, unchecked by default or switches disabled by default;
– If global consent is proposed, “accept all”, “refuse all” and “personalise your choices” buttons should be proposed on the interface;
– The CNIL suggests including a “continue without accepting” button at the top of the consent window;
– The duration of consent is 6 months (to be adapted according to the context);
– A system must be in place to ensure proof of consent;
– The user should be able to withdraw consent or to set/change their choices at any time.
1.3. How long cookies and collected data are kept
The CNIL does not expressly indicate how long cookies or data collected via cookies should be kept in its recommendation.
Thus, for cookies subject to consent, insofar as the CNIL recommends a consent validity period of 6 months, the retention period for these cookies should only last 6 months.
For statistical cookies exempt from consent (excluding Google Analytics) (see here for more information): it recommends a retention period of 13 months.
Regarding the retention period of personal data collected via the cookies, where applicable, the recommended retention period is 24 months for statistics but no details are given for other cookies. This is to be determined according to the purposes of the latter.
2. Zoom on the prior information of individuals
2.1. Purposes of the trackers / cookies
Information on the purposes of the trackers must be placed before the consent/refusal options.
Each purpose must be indicated by a short title, followed by a brief description. In this respect, the CNIL reminds us that the design and vocabulary chosen must help the user understand and encourages the development of standardised interfaces (standardised vocabulary).
The information provided must be easy to understand and must not require any particular effort of concentration or interpretation on the part of the user (e.g.: an inattentive reading could lead to the belief that the option selected produces the opposite effect to that which the users thought they were choosing)
Example: “personalised advertising”: (name of the site and partners/third parties) use(s) trackers in order to display personalised advertising according to your navigation and profile” (a link to the partners should be inserted when there are too many).
The same applies to location-based advertising, content personalisation, data sharing on social networks (which may also be requested at the time of sharing) etc.
A more detailed description of the purposes should be accessible from the consent interface (drop-down button, hypertext link).
Example: In the case of personalised advertising, this additional information can specify the various technical operations such as advertising capping (capping the display which consists in not presenting the same advertisement too often to the same user), the fight against click fraud, invoicing, the measurement of targets with a greater appetite for advertising etc.).
2.2 Categories of data
The CNIL recommends indicating the categories of data collected by purpose if possible. However, this is not a legal obligation, unless the data is collected from a third party source. However, if the volume of data is not large and/or not very sensitive, this can reassure the user.
UPDATE 01/2022: Furthermore, in its Whatsapp decision, the Irish authority indicated that the categories of data must be indicated for consent to be valid. It is therefore to be expected that this information may be required.
2.3. The identity of the controller(s)
The exhaustive and updated list of data controllers must be made available to the user at the time of consent (e.g. hyperlink, drop-down box accessible from the consent interface).
This list must be accessible at all times and the mechanism for accessing it must be placed in the areas of the screen that attract the attention of users or where they expect to find this option. E.g.: cookie settings module always visible or in a hyperlink at the bottom or top of the page.
In practice, a link in the cookie banner to the list of partners/other controllers is a way of informing the person. This banner should be easily accessible once consent or refusal has been given.
2.4. Additional information
Although the CNIL does not expressly require it in its recommendation, the other information required in Articles 13 and 14 GDPR should also be set out in the information notice.
Indeed, the CJEU ruled on this point in 2019 and had also added that the lifespan of cookies as well as the possible access by third parties to cookies were part of the information necessary for the validity of the consent.
For more details an article dedicated to the content of the GDPR information notice is available here . Among the additional information, the information notice should contain the data retention, the rights of data subjects.
3. Zoom on User’s choices
3.1. Consent
The CNIL strongly recommends the use of checkboxes, unchecked by default, or switches, deactivated by default, to obtain users’ consent.
Global consent is possible provided that :
- the user is informed beforehand of all the purposes;
- an additional “personalised your choices” button placed at the same level of information as the “accept all” button makes it possible to personalise the user’s choices on a purpose-by-purpose basis.
The CNIL recommends that the design not be misleading (e.g. by suggesting that the user must accept) or highlight one choice more than the other.
However, it seems that as long as the options are clearly visible and easy to access, there is no legal prohibition to highlight certain options by the choice of colour for example.
The case of the cookie wall
Following the decision of the Conseil d’Etat, cancelling its position on the Cookies Wall, the CNIL has adopted a more flexible position on their use. However, this should not lead one to believe that during a control or a sanction procedure, it will validate the practice of the “Cookie wall”.
Thus, the CNIL no longer formally prohibits this practice, which consists of refusing access to the content of a site if the user does not accept cookies. It recalls that the lawfulness of this practice must be assessed on a case-by-case basis and that the information provided to the user must indicate the consequences of refusing his or her choice (refusal to access the content or service in the absence of consent).
Furthermore, the Commission considers that the simultaneous collection of a single consent for several processing operations serving different purposes (purpose matching), without the possibility of accepting or refusing purpose by purpose, is also likely to affect, in certain cases, the user’s freedom of choice and therefore the validity of his consent.
The CNIL added on its website at the end of May 2021 that it would take into account the existence of real and satisfactory alternatives offered in case of refusal of cookies in order to determine whether the practice of wall cookies is lawful.
For the first time, it specifies, by way of example, that the fact that an online press publisher makes access to its content conditional on the acceptance of advertising cookies or the payment of a reasonable sum of money is not prohibited in principle. However, it recalls that in order to determine whether the practice of wall cookies is lawful, it would take into account the following elements:
- the amount of money requested in return must be reasonable, but does not give any further details (is a subscription acceptable?);
- the user must access an equivalent version of the site in terms of content, which must be free of advertising trackers;
- It will also take into account other elements such as the dominant position of the site in its sector, which it believes may lead to the illegality of certain “cookies wall”.
In May 2022, the CNIL provided a more specific position regarding the cookies wall and encourage website editor to answer the following questions before implemeneting a cookie wall.
Does the user have an equitable alternative to access the website content? if not, the editor, will have to demonstrate that another website editor provide such an alternative (e.g. uncondtional and free access to a similar content) so that the user has an actual and free choice.
Is the amount of the fee reasonable? For the CNIL, asking for a payment as an alternative to consenting to cookies remains GDPR compliant to the extent the fee does not become a deterrent. In this regard, the CNIL encourage micropayment through e-wallet and seems to imply that annual subscription may be unreasonable.
Case of off-site tracking
When consent is required and the cookies allow tracking of the user’s navigation beyond the site or mobile application, the CNIL strongly recommends that consent be obtained on each of the sites or applications concerned by this navigation tracking.
According to the CNIL, this would allow the user to be fully aware of the scope of his consent.
However, in the absence of a practical example and more details on the basis for such a recommendation, it seems that tracking would require consent on subsequent sites visited, only if the tracking involves the deposit of a new tracker. Otherwise, the legal basis for such a requirement seems shaky once the purpose of “tracking” has been accepted by the user. Moreover, the practical implementation of a request for such consent seems very complicated.
3.2. Users’ refusal
Any inaction or action by users other than a positive act signifying their consent should be interpreted as a refusal and no write/read operation can take place (if consent is required).
A “refuse all” button should be proposed at the same level of information as the “accept all” and “personalise your choices” buttons.
Indeed, the CNIL believes that refusal should be as easy as consent on the basis that it could bias the choice of the user who wants to be able to view the site or use the application quickly. This is not expressly stated in the GDPR but could be considered a valid argument by judges.
Furthermore, the user must have the possibility to withdraw his consent as easily as he gave it. The CNIL recommends leaving a button in a visible place on the site to allow the user to set cookies at any time. Easy withdrawal of consent is an express requirement of the GDPR, so it is important to follow the CNIL’s position on this point.
If the refusal can be expressed by continuing to browse, this possibility must be indicated in the consent/banner window and it must disappear after a short period of time so as not to condition the user’s browsing comfort on the expression of consent to the tracer.
To this end, the CNIL suggests including a “continue without accepting” button at the top of the consent window.
3.3 Retention of choices
It is necessary to keep the choices expressed by users for the duration of the site’s navigation to avoid a consent window appearing on each page visited.
The CNIL recommends that consent be kept for a certain period of time, to be adapted according to the type of site and its audience, and that the request be renewed regularly.
Except in special cases, 6 months of conservation of choices seems to be a good practice.
3.4. Record of consent
The different versions of the computer code collecting the consent can be escrowed with a third party or a hash of this code can be published in a time-stamped way on a public platform, in order to be able to prove its authenticity a posteriori;
Screenshots of the visual rendering displayed on a mobile or fixed terminal can be stored with a time stamp;
Regular audits of consent mechanisms can be implemented by mandated third parties;
The information relating to the tools implemented and their subsequent configurations (Consent management platform) can be kept in a time-stamped manner by the third parties publishing these solutions.
4. Trackers exempt from consent
Although not required by law, the CNIL recommends that information be given for certain read and write operations not subject to consent.
According to the CNIL, the exempted trackers are notably those whose purpose is one of the following:
- conservation of the choice expressed by users on the deposit of traces ;
- authentication with a service, including those aimed at ensuring the security of the authentication mechanism;
- keeping track of the contents of a shopping cart or billing the user for the product(s) and/or service(s) purchased;
- customisation of the user interface (e.g. for language selection or service presentation), where such customisation is an intrinsic and expected feature of the service;
- load balancing of equipment supporting a communication service;
- limiting free access to a sample of content requested by users (predefined quantity and/or over a limited period of time);
- certain audience measurement tracers, provided that certain conditions are met (excluding Google analytics, the data must in particular be anonymised).
In the case of audience measurement cookies (excluding Google Analytics): the CNIL recommends a lifetime of 13 months and a maximum retention period of 25 months for the information collected.
5. Technical measures
Using different cookies for distinct purposes would allow users to distinguish between them and to ensure that their consent is respected, as well as to make reading or writing operations more transparent.
Trackers exempted from consent should be used only for one purpose so that the absence of consent does not affect the user’s navigation (cookies).
No use of techniques to mask the identity of the entity using the trackers, such as subdomain delegation.
It also recommends that the name of the trackers be standardised regardless of the entity that issued them and that the tracker that retains the collection of consent be named “eu-consent”.
However, these recommendations do not stem from any legal obligation, so it is unlikely that they will be followed.
CONTACT
If you have any questions, do not hesitate to contact Arnaud Blanc, French&UK qualified lawyer based in France.
This post is also available in fr_FR.