skip to main content
CookiePro Blog July 19, 2019

The CNIL Releases Updated Guidelines for Cookie Compliance

On Wednesday, July 18, France’s Data Protection Authority, the CNIL, released updated cookie guidelines. These guidelines repeal those from Article 5.3 of the e-Privacy Directive from 2013, which imposed an obligation to obtain prior consent before placing or accessing cookies and similar technologies.

Here are the main takeaways from the updated guidance.

Cookie walls are forbidden

The European Data Protection Board (EDPB) states that the practice of blocking access to a website or mobile application for users that do not agree to be tracked, or cookie walls, does not comply with the GDPR. Basically, browser settings (currently) are not proof of consent to cookies.

Cookie processing info shouldn’t be just in the terms and conditions, but at least basic information must be clearly visible and highlighted to the user and include at least the following:

  1. Identity of controller(s)
  2. Purpose of reading/writing operations
  3. Existence of the right to withdraw consent
  4. Exhaustive and up-to-date list of other entities using the cookie data – e.g. if shared amongst several entities

Contrary to ICO guidance which requires GDPR consent, audience measuring trackers can be deployed without user consent, based on soft opt-in, complying with the following conditions:

  • Must be implemented by the website publisher or his subcontractor
  • User must be informed prior to their implementation
  • User must be able to opt-out easily across any devices/browsers
  • Purpose must be limited to:
    • Audience measurement of the visualized content for evaluation of the published contents and the metrics of the site/app
    • Audience segmentation to evaluate effectiveness of editorial choices, without this leading to targeting a single person
    • Dynamic modification of the site in a global way. The collected personal data must not be cross-referenced with other processed data (e.g. customer files, or attendance statistics of other sites), nor transmitted to third parties
  • Only anonymous stats, scope limited to single site editor
  • Geotagging based on IP address must not be more accurate than city-level. IP address collected must also be deleted/anonymized once geolocation is done.
  • Trackers cannot last more than 13 months (no auto-extension during new visits). Information collected from trackers has a max retention of 25 months.

The new guidelines serve as a basis for the CNIL meetings with cookie vendors and other stakeholders, such as CookiePro’s parent company, OneTrust, which is involved in the negotiations. Based on the meetings, the practical CNIL recommendations on the technical requirements/implementation of cookie consent guidance will be produced.

Timeline for the practical CNIL recommendations:

Expected in December, followed by six weeks for public comment. Afterwards, there will be a six-month ‘transition period’, rolling into fully effective in summer of 2020

The scope will include tracking for connected devices, mobile tech etc., excluding most direct marketing issues, except for cookie consent

Recent Posts

CCPA Compliance Checklist: 7-Week Countdown
CCPA Compliance Checklist: 7-Week Countdown
Learn about #4 off of our CCPA Compliance Checklist which focuses on intaking consumer requests through online forms.
+ View Article
[WEBINAR] Prepare for CCPA with CookiePro
[WEBINAR] Prepare for CCPA with CookiePro
Join the CookiePro team for a CCPA preparation webinar on Friday, November 22 at 11:30 pm.
+ View Article
CCPA Compliance Checklist: 8-Week Countdown
CCPA Compliance Checklist: 8-Week Countdown
Learn about #3 off of our CCPA Compliance Checklist which focuses on the consumer right called the Right to Inform.
+ View Article
Mobile-Responsive Consent Management is Key
Mobile-Responsive Consent Management is Key
With the increase of web browsing on mobile devices and tablets, it's important to partner with a consent management tool that provides...
+ View Article