CNIL Publishes FAQ Clarifying Cookie Use

Background

The CNIL’s guidelines and recommendation of September 17, 2020 repeal the CNIL’s previous guidelines of 2013 to take into account the GDPR’s definition of consent. They are the final versions of these documents after (i) a public consultation and (ii) a decision of June 19, 2020 (French only) of the French Administrative Supreme Court (Conseil d’Etat) which ruled that the CNIL had no power to prohibit cookies walls, requiring that the guidelines be modified.

More precisely, the guidelines set out the general legal requirements for cookies and other tracking technologies, while the recommendation details what the CNIL considers to be best practices for obtaining users’ consent. Although not formally binding, these documents indicate the legal interpretation and position of the CNIL which can issue GDPR sanctions for lack of compliance with the principles they explain and illustrate.

Key aspects of the CNIL’s guidelines and recommendation on cookies

• Consent methods and cookies walls: the CNIL does not formally prohibits the use of cookies walls but explains that making consent a condition of access to a service is prone to infringing the GDPR principle of free consent and recommend conducting a case-by-case assessment of such models. It also identifies that a granular per-purpose consent must be collected, which means that a common consent for all cookies is not acceptable, as it does not provide the user with a real choice. A consent must be collected for each purpose of cookie and manifested by a clear and positive action of the user (e.g., ticking a box, displaying sliders, etc. deactivated by default), as any other action (e.g., scrolling, browsing, etc.) is considered as a refusal.
• Content of the cookie banner: To provide clear and easily accessible information, the CNIL recommends that information and options (accept, reject, etc.) be provided at the first level of information with the same design so that it cannot be deceptive for users. In practice, this would mean for example having buttons or links for “accept all cookies”/ “refuse all cookies” options displayed with the same format, size, and type in the cookie banner. The CNIL even provides an example of a cookie banner with similar buttons for “accept all”, “refuse all” and “personalize my choices.”
• Withdrawal of consent: Users must be able to withdraw consent at any time and easily as providing consent or indicating refusal. Websites cannot only rely on browsers and operating systems’ cookies settings to provide possibilities to refuse cookies or withdraw consent, but must also provide an easily accessible webpage where users can indicate and change their choices.
• Consent exceptions: In principle, users’ consent must be collected for each category or purpose of cookies before deploying them on their devices. An exception to this rule exists but must be strictly interpreted and only concerns a specific category of cookies which are cookies that are strictly necessary. Strictly necessary cookies are cookies necessary for the functioning of the website and without which the essential functions of the website would not work. They are narrowly listed as follows:
  • trackers storing the choice expressed by the users on the use of trackers;
  • trackers intended for authentication to a service, including those to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;
  • trackers intended to store the content of a shopping cart on a merchant website or to invoice the user for the products and/or services his/she purchased;
  • trackers used for user interface customization (e.g. for the choice of language or presentation of a service), where such personalization is an intrinsic and expected part of the service;
  • trackers allowing load balancing of the equipment involved in a communication service;
  • trackers that allow paying websites to limit free access to a sample content requested by users (predefined quantity and/or over a limited period of time).

Audience measurement cookies also constitute a separate category that can benefit from the consent exception in very limited circumstances where they are strictly necessary to the proper functioning of the website or the application and therefore to the provision of the service (e.g., performance measurement, detection of browsing problems, optimization of technical performance, analysis of the contents consulted, etc.). Such trackers must not be used for further purposes which require consent (e.g., tracking the user’s navigating across the website) and must only be used to produce anonymous statistical data that cannot be cross-checked with other processing or transmitted to third parties.

Additional information drawn from the FAQ

• CNIL’s scope of intervention: As provisions about cookies and trackers coming from the ePrivacy Directive, which set out the European rules on cookies and trackers, have been transposed into the French Data Protection Act (Loi Informatique et Libertés), the FAQ specifies that the CNIL’s scope of intervention includes both cookies and trackers collecting personal data and cookies and trackers that do not collect personal data. CNIL’s audits are therefore expected to focus on all categories of cookies and trackers.
• Focus on specific cookies for the consent exception: The CNIL also reminds that consent exceptions are very limited. For example, it specifies that cookies used for invoicing affiliation operations (i.e., an e-commerce platform promoting products of an affiliated e-commerce website) do not benefit from the consent exception. Cookies used to fight against fraud (e.g., for an e-commerce website or for an online bank) also do not benefit from the consent exception, except for some very specific cookies such as those used to ensure security of an authentication mechanism. Companies using such cookies must therefore pay particular attention to them to ensure consent is actually collected.
• CNAME cloaking: CNAME cloaking refers to the practice of delegating a sub-domain to a third party and then enabling the third party to deploy cookies appearing as “first-party” instead of “third-party,” which the CNIL states is not contrary to the GDPR and the French Data Protection Act. The CNIL highlights, however, that such practice can induce security vulnerabilities and incidents, and must be implemented with care and strict respect of applicable rules and appropriate security measures. During audits, the CNIL would therefore certainly look for websites practicing CNAME cloaking.
• Audience measurement solutions: Sensitive to the difficulties encountered by companies to understand and apply the consent’s exemptions, the CNIL launched an assessment program of audience measurement solutions. It will soon publish on its website a list of the solutions meeting the criteria of consent’s exemption to help more easily identify them.

Next steps

Compliance with the CNIL’s guidelines and recommendation on cookies must be implemented without delay as this is an area of compliance the CNIL is actively monitoring and will intensify through its audit missions as of April 1, 2021. Additional legal and practical developments are expected in the coming months, so developments in this area should be closely monitored. This is particularly true as:

• The ePrivacy Regulation is expected to replace the ePrivacy Directive after a version was adopted by the Member States on February 10, 2021 and is currently being discussed within the European institutions (see our comparison of the current drafts); and 
• Major players in the online ecosystem have taken steps to end or limit the use of advertising cookies and implement other information exchange systems that are likely to reshape the digital activity trackers environment.

Authored by Patrice Navarro and Julie Schwartz.