0
CookiePro Blog 2 minutes | November 26, 2019

Cookies 2019 Year in Review: CNIL

As 2019 comes to a close, CookiePro is looking back on some of the privacy headlines. Over the next couple of weeks, we’re featuring a series providing cookie updates that were made in certain regulations and frameworks. This week, we’ll highlight when France’s Data Protection Authority, the CNIL, released updated cookie guidelines.

Updated CNIL Guidelines

On July 4, 2019, the CNIL released new guidelines that repealed those from Article 5.3 of the e-Privacy Directive from 2013. The updated Guidelines outline methods of obtaining consent when using an online tracker, the use of audience measurement trackers, and the configuration of terminal settings.

In addition, the CNIL mentioned that the Guidelines will be followed by a new recommendation (‘the Draft Recommendation’), which will be created after consultation with professionals and civil society and will then be subject to public consultation.

Key Takeaways

  1. Before installing cookies and other technologies, consent must be must be freely given, specific, informed, and affirmatively expressed, as well as provided for each distinct purpose of the processing activity.
  2. The use of a pre-ticked banner is not considered a valid way of obtaining consent at any time.
  3. Service providers must implement user-friendly solutions in order to allow users who have given their consent to withdraw at any time.
  4. Service providers should implement mechanisms to demonstrate that they have obtained the consent of users.
  5. Blocking access to a website or mobile application to users that do not not provide consent is to be deemed incompatible with the GDPR.
  6. Analytic cookies and audience measurement technologies may be regarded as necessary for the provision of the service explicitly requested by the user, and can be exempted from the collection of consent.
  7. A cookie policy must include information regarding the identity of the data controller, the purpose of the placing or tracking operations, and the right to withdraw consent. It also must be clearly visible to the user.