French provisions on cookies
The latest content on cookies on the CNIL’s website is, in its own view, currently out of date and will be soon updated.
The new guidelines (in French) were adopted to summarise the applicable law and set the framework for upcoming specific recommendations. The new recommendations on compliant implementation of cookies are currently being drafted and are expected to be published in the first quarter of 2020. After publishing the new recommendations, the CNIL has planned a 6 month period of adaptation, allowing companies to implement the new rules.
- The CNIL has a very clear standpoint on the requirement of consent for cookies:
- The consent must be unambiguous: Scrolling down, swiping or browsing through a website or application is not sufficient to be considered a valid consent. Equally, pre-ticked boxes are not considered a clear proactive act of the data subject giving a consent.
- The consent must be voluntary: Blocking access to a website or mobile application after refusing consent is not GDPR compliant;
- The consent must be specific: the data subject must be able to give consent independently and specifically for each distinct purpose.
- The consent must be informed: data subject must be informed in a comprehensible, complete and visible manner. A general reference to general conditions of use is not sufficient.
- Organisations must be able to demonstrate, at any time, that they have validly obtained the consent of their users.
- It must be as easy to refuse or withdraw consent as it is to give it.
In the case of third parties using trackers, these will be fully and independently responsible for their trackers and are obliged to obtain user’s consent. The guideline specifies a few rules for audience measurement as follows:
- If audience measurement is used as a necessity for the provision of the service explicitly requested by the user, without being particularly intrusive, consent is not required (e.g. traffic statistics, test to measure performance of different website versions).
- The use of trackers must be strictly confined to anonymous data.
- The information collected through trackers may be kept for a maximum period of twenty-five months.