skip to main content
CookiePro Blog July 19, 2019

The CNIL Releases Updated Guidelines for Cookie Compliance

On Wednesday, July 18, France’s Data Protection Authority, the CNIL, released updated cookie guidelines. These guidelines repeal those from Article 5.3 of the e-Privacy Directive from 2013, which imposed an obligation to obtain prior consent before placing or accessing cookies and similar technologies.

Here are the main takeaways from the updated guidance.

Cookie walls are forbidden

The European Data Protection Board (EDPB) states that the practice of blocking access to a website or mobile application for users that do not agree to be tracked, or cookie walls, does not comply with the GDPR. Basically, browser settings (currently) are not proof of consent to cookies.

Cookie processing info shouldn’t be just in the terms and conditions, but at least basic information must be clearly visible and highlighted to the user and include at least the following:

  1. Identity of controller(s)
  2. Purpose of reading/writing operations
  3. Existence of the right to withdraw consent
  4. Exhaustive and up-to-date list of other entities using the cookie data – e.g. if shared amongst several entities

Contrary to ICO guidance which requires GDPR consent, audience measuring trackers can be deployed without user consent, based on soft opt-in, complying with the following conditions:

  • Must be implemented by the website publisher or his subcontractor
  • User must be informed prior to their implementation
  • User must be able to opt-out easily across any devices/browsers
  • Purpose must be limited to:
    • Audience measurement of the visualized content for evaluation of the published contents and the metrics of the site/app
    • Audience segmentation to evaluate effectiveness of editorial choices, without this leading to targeting a single person
    • Dynamic modification of the site in a global way. The collected personal data must not be cross-referenced with other processed data (e.g. customer files, or attendance statistics of other sites), nor transmitted to third parties
  • Only anonymous stats, scope limited to single site editor
  • Geotagging based on IP address must not be more accurate than city-level. IP address collected must also be deleted/anonymized once geolocation is done.
  • Trackers cannot last more than 13 months (no auto-extension during new visits). Information collected from trackers has a max retention of 25 months.

The new guidelines serve as a basis for the CNIL meetings with cookie vendors and other stakeholders, such as CookiePro’s parent company, OneTrust, which is involved in the negotiations. Based on the meetings, the practical CNIL recommendations on the technical requirements/implementation of cookie consent guidance will be produced.

Timeline for the practical CNIL recommendations:

Expected in December, followed by six weeks for public comment. Afterwards, there will be a six-month ‘transition period’, rolling into fully effective in summer of 2020

The scope will include tracking for connected devices, mobile tech etc., excluding most direct marketing issues, except for cookie consent

Recent Posts

CookiePro Launches CCPA Do Not Sell WordPress Plugin
CookiePro Launches CCPA Do Not Sell WordPress...
Download the new CookiePro CCPA Do Not Sell WordPress plugin to allow website visitors to opt of the the sale of personal information.
+ View Article
Website Tracking: Why and How Do Websites Track You?
Website Tracking: Why and How Do Websites...
Websites track users to monitor their online behavior. This is often so they can provide a tailored online experience and show targeted ads.
+ View Article
CCPA Amendments Signed into Law
CCPA Amendments Signed into Law
Last Friday, October 11, California Governor Gavin Newsom signed five bills into law under the CCPA. Learn what this means for your...
+ View Article
Online Privacy Improved with SameSite Cookie Attributes
Online Privacy Improved with SameSite Cookie...
The latest big idea to help tame the insecure world of browser cookies is using SameSite cookie attributes. Learn more about the attributes...
+ View Article