skip to main content
0
CookiePro Blog July 19, 2019

The CNIL Releases Updated Guidelines for Cookie Compliance

On Wednesday, July 18, France’s Data Protection Authority, the CNIL, released updated cookie guidelines. These guidelines repeal those from Article 5.3 of the e-Privacy Directive from 2013, which imposed an obligation to obtain prior consent before placing or accessing cookies and similar technologies.

Here are the main takeaways from the updated guidance:

Cookie walls are forbidden

The European Data Protection Board (EDPB) states that the practice of blocking access to a website or mobile application for users that do not agree to be tracked, or cookie walls, does not comply with the GDPR. Basically, browser settings (currently) are not proof of consent to cookies.

Cookie processing info must be clearly visible and highlighted to the user and include at least the following:

  1. Identity of the controller(s)
  2. Purpose of reading/writing operations
  3. Existence of the right to withdraw consent
  4. An exhaustive and up-to-date list of other entities using the cookie data – e.g. if shared amongst several entities

Contrary to ICO guidance which requires GDPR consent, audience measuring trackers can be deployed without user consent, based on soft opt-in, complying with the following conditions:

  • Must be implemented by the website publisher or his subcontractor
  • User must be informed prior to their implementation
  • User must be able to opt-out easily across any devices/browsers
  • The purpose must be limited to:
    • Audience measurement of the visualized content for evaluation of the published contents and the metrics of the site/app
    • Audience segmentation to evaluate the effectiveness of editorial choices, without this leading to targeting a single person
    • Dynamic modification of the site in a global way. The collected personal data must not be cross-referenced with other processed data (e.g. customer files, or attendance statistics of other sites), nor transmitted to third parties
  • Only anonymous stats, scope limited to the single-site editor
  • Geotagging based on IP address must not be more accurate than the city-level. The IP address collected must also be deleted/anonymized once geolocation is done.
  • Trackers cannot last more than 13 months (no auto-extension during new visits). Information collected from trackers has maximum retention of 25 months.

The new guidelines serve as a basis for the CNIL meetings with cookie vendors and other stakeholders, such as CookiePro’s parent company, OneTrust, which is involved in the negotiations. Based on the meetings, the practical CNIL recommendations on the technical requirements/implementation of cookie consent guidance will be produced.

Timeline for the CNIL Recommendations:

Expected in December, followed by six weeks for public comment. Afterward, there will be a six-month ‘transition period’, rolling into fully effective in the summer of 2020

The scope will include tracking for connected devices, mobile tech, etc., excluding most direct marketing issues, except for cookie consent

Recent Posts

What’s the Difference Between IAB TCF...
The Interactive Advertising Bureau (IAB) is gearing up for the […]
+ View Article
IAB TCF v2.0: Top 10 Things to Know
Ready to learn the nitty-gritty facts about this framework? Here’s a list of 10 top things you need to understand about the IAB TCF 2.0.
+ View Article
CookiePro + WordPress: Integration and...
The WordPress plugins from CookiePro offer different solutions to help you comply with global cookie laws. There are two: The CCPA Opt-Out...
+ View Article
Safari Announces Third-Party Cookie Blocking:...
Organizations relying on third-party cookies to facilitate the collection of user consent must make the shift to capturing first-party data...
+ View Article