CNIL and Cookies
Last Updated: February 23, 2021
The French Data Protection Authority, The Commission nationale de l’informatique et des libertés (CNIL), is an independent regulatory body. Their primary objective is ensuring the data privacy law is applied to the collection, storage, and use of personal data relating to French cookies.
Enforcement of CNIL Cookies
The introduction of the General Data Protection Regulation (GDPR) has clarified the definition of cookie consent. The European Data Protection Board (EDBP), which is composed of all the national data protection authorities from EU member states, clarified the definition of cookie consent in its guidelines issued in May 2020.
CNIL Cookies Update from 2019
Cookie Wall Challenge
However, many marketing and online e-commerce associations challenged this ban. The Council of State decided the CNIL exceeded its power by placing a ban on cookie walls, therefore allowing the use of cookie walls.
Eventually, the CNIL revised the enforcement of cookie walls but determining that there may be situations in which cookie walls may be used. They declared that in those cases, and subject to the lawfulness of this practice which will be evaluated on a case-by-case basis, users must be clearly informed of the impacts of their choices and that they will not be able to access the content or service without their consent.
CNIL Cookies Main Changes
The CNIL’s guidelines of 2020 replace the guidelines from July 2019. It is the third set of guidance published by the regulatory body, with the first set introduced in 2013.
Some important changes include:
- browsing a website cannot be considered as valid consent from the user
- users must provide consent for each cookie and tracking purpose
- must provide information to the user about how their data will be used and who has access
- the data controller must be able to provide at all times that it obtained the user’s valid prior consent
- withdrawing consent by the user must be as easy as it was to give it
- when several parties are involved in processing data from cookies, roles and responsibilities must be specified to all
Read more about the main changes from 2019 to 2020 guidelines here.
Collecting Valid Consent for Cookie Compliance under French Requirements
As many people may already know, French legal and CNIL cookie requirements apply to businesses and websites that are based in France. However, the regulations also apply to any website or mobile app that targets French visitors regardless of hosting location.
Under Article 82 of the French Data Protection Act and Article 4 of the GDPR, collecting a user’s consent must occur only when consent is:
- freely Given
- informed, and
Cookie compliance and best practices ensure the following information is provided to your users before collecting consent:
- identity of the data controller(s) and any joint controller(s)
- the purpose of the processing activities used with the cookies
- consequences of refusing or accepting cookies, and
- the option of the user’s right to withdraw their consent