The CNIL Releases Updated Guidelines for Cookie Compliance

On Wednesday, July 18, France’s Data Protection Authority, the CNIL, released updated cookie guidelines. These guidelines repeal those from Article 5.3 of the e-Privacy Directive from 2013, which imposed an obligation to obtain prior consent before placing or accessing cookies and similar technologies.

Here are the main takeaways from the updated guidance:

Cookie walls are forbidden

The European Data Protection Board (EDPB) states that the practice of blocking access to a website or mobile application for users that do not agree to be tracked, or cookie walls, does not comply with the GDPR. Basically, browser settings (currently) are not proof of consent to cookies.

Cookie processing info must be clearly visible and highlighted to the user and include at least the following:

1. Identity of the controller(s)
2. Purpose of reading/writing operations
3. Existence of the right to withdraw consent
4. An exhaustive and up-to-date list of other entities using the cookie data – e.g. if shared amongst several entities

Contrary to ICO guidance which requires GDPR consent, audience measuring trackers can be deployed without user consent, based on soft opt-in, complying with the following conditions:

• Must be implemented by the website publisher or his subcontractor
• User must be informed prior to their implementation
• User must be able to opt-out easily across any devices/browsers
• The purpose must be limited to:
  • Audience measurement of the visualized content for evaluation of the published contents and the metrics of the site/app
  • Audience segmentation to evaluate the effectiveness of editorial choices, without this leading to targeting a single person
  • Dynamic modification of the site in a global way. The collected personal data must not be cross-referenced with other processed data (e.g. customer files, or attendance statistics of other sites), nor transmitted to third parties
• Only anonymous stats, scope limited to the single-site editor
• Geotagging based on IP address must not be more accurate than the city-level. The IP address collected must also be deleted/anonymized once geolocation is done.
• Trackers cannot last more than 13 months (no auto-extension during new visits). Information collected from trackers has maximum retention of 25 months.

The new guidelines serve as a basis for the CNIL meetings with cookie vendors and other stakeholders, such as CookiePro’s parent company, OneTrust, which is involved in the negotiations. Based on the meetings, the practical CNIL recommendations on the technical requirements/implementation of cookie consent guidance will be produced.

Timeline for the CNIL Recommendations:

Expected in December, followed by six weeks for public comment. Afterward, there will be a six-month ‘transition period’, rolling into fully effective in the summer of 2020

The scope will include tracking for connected devices, mobile tech, etc., excluding most direct marketing issues, except for cookie consent