Updates on Cookie Guidelines: CNIL vs. ICO

The French data protection authority (the “CNIL”) has adopted new guidelines on cookies and other online trackers as part of its focus on targeted advertising. The CNIL noted that the Guidelines repealed the former 2013 guidelines that didn’t comply with the GDPR. In addition, the CNIL highlighted that the Guidelines will be followed by a new recommendation which will specify technical requirements for obtaining consent.

“Cookies” made headlines a few times in July 2019. Not only did the CNIL update its guidelines on the use of cookies, but also the UK Information Commissioner’s Office (ICO) did as well.

In early July, The UK Information Commissioner’s Office (ICO) released new guidance on the use of cookies and similar technologies, providing updated directions for complying with the following laws:        

• Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’)        
• The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)

CNIL vs. ICO: Main Differences in Recent Updates

Contrary to ICO Guidance, under the CNIL, audience measuring trackers can be deployed without user consent, based on soft opt-in

Analytics cookies may be exempt from the consent requirement, subject to strict conditions such as:

• Cookies must be put in place by the web publisher or his processor
• User must be informed and able to object to the use of measuring cookies
• Data collected must not be combined with other types of personal data, nor sold to third parties
• Trackers may be used by one publisher and not enable tracking a user over different websites or mobile apps
• The IP address cannot be used to geolocate the user more precisely than the user’s city. The user’s IP address must be deleted or made anonymous once the user has been located to avoid this data from being used or combined with other data.

Under the ICO, ‘Strictly Necessary’ exemptions have changed (i.e. Cookies used for Google Analytics and advertising purposes)

• Companies are required to be clear with users about the purpose for storing information and requesting consent. As mentioned above, cookies relating to the functionality of a website do not require consent, but cookies for analytics, social media and advertising now require consent to track data.

Items that DO meet the ‘strictly necessary’ exemption  

• Cookies that are used to remember items that a user purchases or adds to a shopping cart        
• Cookies used that must comply with GDPR’s security principle, such as a connection with an online banking service       
• Cookies that help increase the page load time

Items that DO NOT meet the ‘strictly necessary’ exemption  

• Cookies used for website analytics
• Cookies used for first and third-party advertising
• Cookies used to recognize a user when returning to a website

Simplify Compliance with ePrivacy, GDPR and CCPA

Global privacy laws, like ePrivacy, GDPR and CCPA, require companies to inform visitors about the data being collected on their website and provide them with granular choices over the information they are willing to share. In order to comply with these laws and provide a transparent experience that builds trust, website owners are rethinking their cookie compliance. Cookie Consent Made Easy

 CookiePro was purpose built to help website owners achieve and maintain cookie compliance quickly and easily. CookiePro simplifies cookie consent through an automated website scan against the largest database of pre-categorized cookies CookiePedia by OneTrust, built-in templates and multiple consent models that can be easily tailored to address requirements across various laws and standards. CookiePro is powered by OneTrust, the industry leading privacy management platform.