On October 1, 2020, the French data protection authority, the CNIL (“Commission Nationale de l’Informatique et des Libertés”) issued guidelines on the use of cookies and trackers (the “Guidelines”). These Guidelines are meant to clarify applicable law and to help public and private entities establish good practices for their use of cookies and similar technologies in France. The CNIL also published long-awaited recommendations (the “Recommendations”) and a set of Q&As on the Recommendations, that should be used as a practical guide to be read in conjunction with the Guidelines. In January 2020, the CNIL had already submitted its draft recommendations to public consultation, the inputs of which were included in the final version.

The CNIL takes a very protective approach toward users’ privacy, with a strong focus on users’ consent and their ability to refuse cookies. The main takeaways of the CNIL’s Guidelines and practical Recommendations are provided below.

Legal Framework and Scope of Guidelines. The Guidelines clarify the legal framework resulting from the EU ePrivacy directive of July 12, 2002 (Directive on Privacy and Electronic Communications), amended in 2009 and transposed into Article 82 of the French Data Protection Act in December 2018; and the definition of consent provided for at Article 4 of the GDPR, and developed in the related European Data Protection Board guidelines.

The Guidelines apply to all operations that aim at accessing information stored in a subscriber’s or user’s equipment, by means of electronic transmission (i.e., accessing trackers and cookies), or at saving information on said equipment (i.e., placing trackers and cookies). This means that all private and public entities using trackers and cookies which are based in France or offering services in the country will have to comply with these Guidelines.

Consent Requirements. The Guidelines also reiterate that pursuant to Article 82 of the French Data Protection Act, consent shall be collected prior to using cookies, subject to limited exceptions. Drawing on this, the CNIL develops on the requirements to collect users’ consent and recommends practical modalities to do so.

  • Users must provide free, informed, specific and unequivocal consent.
    • Users shall consent to trackers by a clear positive action (for instance clicking on “I accept” on a cookie banner). If they do not, no non-essential trackers may be used.
    • A user continuing to navigate on a website cannot be considered a valid expression of consent.
    • Users must also be able to easily withdraw their consent at any time.
    • Refusing trackers must be as easy as accepting them. The Recommendations, for instance, suggest that the interface for collecting consent not only includes an “accept all” button but also a “refuse all” button. The Guidelines stress that users should not suffer any disadvantage if they do not consent. Accordingly, cookie walls compelling users to consent if they want to navigate the website may affect the validity of consent.
    • Users shall give their specific consent for each specific purpose. The collection of global consent for different processing operations with different purposes is unlikely to be valid. Also, consent cannot be collected through general acceptance of the terms and conditions. The Recommendations, however, make clear that it is possible to ask for a global consent or refusal when users were given the option to “customize” their choices.
    • In addition, so that users are fully aware of the scope of their consent, the CNIL recommends that, when trackers allow monitoring on other websites than the one that was actually visited, consent be collected on each of the websites.
  • Users must receive proper information on trackers and their purposes.
    • Users must be clearly informed of the purposes of trackers and of the consequences of accepting or refusing them before providing their consent. The CNIL recommends that each purpose be presented as a short and highlighted title, along with a brief description (the so-called “first level of information”). The CNIL also suggests adding a more detailed description of each purpose, which should be easily accessible from the consent collection interface (the so-called “second level of information”). The data controller is advised to indicate the categories of data collected through trackers for each purpose in a way that is easily accessible to the user.
    • Users shall at least be informed of (i) the identity of all actors that will use cookies, (ii) the purpose of the write and read operations, (iii) the ways to consent or refuse cookies, (iv) the consequences of refusal and (v) the right to withdraw consent. The CNIL recommends that users be provided with an exhaustive list of data controllers prior to giving their consent. This list should be updated on a regular basis. The CNIL suggests making this list available as part of the “first level of information.” More detailed information about the various controllers (g., their data protection policy) can be provided with the “second level of information.”
  • Settings are not consent.
    • The Guidelines add that parameter settings of browsers and operating systems cannot, in themselves, be considered as a valid consent. The level of information provided by these settings on consent is not yet compliant with regulations governing trackers and cookies.
  • Websites must record consent.
    • Under the Recommendations, consent or refusal should be recorded so that the user is not asked again.
    • However, since users are likely to forget that they gave consent after a certain time, the CNIL recommends that consent should be requested again after six months.
  • Proof of consent is required.
    • Website operators using cookies must be able to provide proof that users gave their free, informed, specific and unequivocal consent, and that the mechanism used has all the characteristics that allow a valid consent to be collected.
    • The Recommendations mention that proof of consent may for instance consist of a date-stamped screenshot. Regular audits of the consent collection mechanisms shall be implemented by the websites.

Consent Exemptions. The Guidelines reiterate that certain trackers are exempt from the collection of consent, such as (i) trackers recording the choice expressed by the user on the use of trackers, (ii) authentication trackers, (iii) trackers designed to save the content of a shopping cart on a merchant site, (iv) user interface customization trackers (e.g., language preference), (v) trackers intended to generate traffic statistics, (vi) trackers allowing load balancing of equipment contributing to a communication service or (vii) trackers allowing paid sites to limit free access to a sample of content requested by users.

Cookie Actors. The Guidelines also present what is expected from the various actors using cookies. The CNIL considers that the website editor is generally the data controller, including when the editor uses subcontractors. Other entities placing cookies on an editor’s website should also be considered as controllers if they are acting on their own behalf. The website editor must verify that third-party cookies are also compliant. The CNIL also stresses that website editors are jointly responsible with third parties using cookies on their website when they work together to determine the processing operations and their purpose. Importantly, entities storing or accessing stored information on users’ equipment for a third party is considered to be a data processor, and processing should be governed by a contract or other legally binding act.

Compliance Required Before End of March 2021. The CNIL invites all entities to ensure that their practices comply with the requirements of the GDPR and the 2002 ePrivacy directive, which are clarified by the Guidelines. The CNIL estimates that the deadline for compliance should not exceed six months, i.e. by the end of March 2021 at the latest. While the CNIL notes that it will take into account operational difficulties during this period, and will thus prioritize support measures over controls, it adds that it may also investigate and sanction breaches, in particular in the event of a particularly serious breach to the right to privacy.

Author

Alexandre Bisch is an international counsel in Debevoise's Paris office and a member of the firm’s Litigation Department. He can be reached at abisch@debevoise.com.

Author

Ariane Fleuriot is an associate in Debevoise's Litigation Department. She can be reached at afleuriot@debevoise.com.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.