On October 1, 2020, the French Supervisory Authority (“CNIL”) published the final version of its Guidelines on cookies and other tracking technologies (hereafter, “guidelines” – see announcement here, and guidelines here, in French), as well as an adjoining set of best practice recommendations (in French) with examples on how to implement the guidelines.  In this blog post, we summarize the key points mentioned in the CNIL’s guidelines.

The new version of the guidelines takes into account contributions submitted by various stakeholders during the public consultation period for both documents, as well as a recent decision of the French Council of State regarding a prior version of the guidelines.

The CNIL indicates that these guidelines and recommendations apply to any technologies used to collect data from terminal equipment (including computers, tablets, smartphones, gaming consoles, connected TVs, connected vehicles and voice assistants), and specify when such technologies can be used.  According to the CNIL, these guidelines and recommendations do not apply to the processing of personal data collected using cookies, which has to comply with the EU General Data Protection Regulation (“GDPR”).

Below, we summarize some key takeaways regarding certain topics covered in the CNIL’s guidelines and best practice recommendations.

  • Cookie walls: The lawfulness of cookie walls has to be assessed on a case-by-case basis.  However, the service provider should clearly inform users about the consequence of accepting or refusing cookies.  For example, users should be informed about the impossibility of accessing the service if they refuse cookies.
  • Consent:
    • Granular consent: Requesting one consent for cookies used for different purposes may result in “consent bundling”, which affect may render the consent obtained invalid.
    • Specific consent: The acceptance of general terms and conditions does not constitute a valid consent for the deployment of cookies.
    • Informed: Consent must be preceded by clear, simple, up-to-date, prominent and easily accessible information about the identity of the party(-ies) deploying the cookie(s), the purpose(s) of the cookies, how to accept/refuse cookies, the consequences of refusing cookies, and the right to withdraw consent.
    • Affirmative actions: Pre-ticked boxes or relying on the continued use of a service (e.g., a website) do not constitute a valid consent, as they do not entail an affirmative action on the part of the individual to demonstrate agreement to the processing.
    • Proof of consent: Consent must be documented and kept on record.
    • Withdraw consent: Users should be able to withdraw consent at any time. It should be easy to withdraw consent.
  • Responsibility:
    • Main responsibility: It is the responsibility of the party providing services to the user to ensure it has implemented a compliant consent management tool that enables third parties to lawfully deploy cookies through that service.
    • Joint responsibility: If the service provider and third party deploying cookies jointly determine the means and the purposes of the cookies, then they are jointly responsible for ensuring compliance with the cookie rules.
  • Browser settings: Service providers cannot require users to grant consent or withdraw consent through browser settings, which currently do not meet the consent standard of the GDPR.
  • Cookies with two purposes: If a cookie has two purposes and consent is required for one of them, then consent must be obtained before deploying such a cookie.
  • Examples of cookies exempt from consent:
    • cookies for the sole purpose of carrying out the transmission of a communication over an electronic communications network;
    • cookies that are strictly necessary in order to provide an information society service explicitly requested by the user;
    • cookies that remember the consent/refusal of cookies;
    • authentication cookies;
    • cookies used to remember products/services added to the “shopping cart” and used for the payment process;
    • cookies to personalize the user interface (including the language and how the service is presented), where the personalization is an intrinsic part of the service;
    • load-balancing cookies;
    • cookies that enable services or content requiring payment to limit free access to content (after a predefined quantity of “free views” or time period); and
    • first-party analytics cookies that collect data converted into anonymous statistics strictly necessary for performance measurement, detection of navigation problems, optimization of technical performance or ergonomics, assessing the required server capacity, analysis of the content consulted and other similar purposes.  Such analytics cookies may not generate transmissions of data to third parties.

In terms of its plans for the future, the CNIL announced that it will start enforcing these cookie rules as of April 2021.  We will continue to monitor guidelines and statements on cookies issued by the CNIL and other supervisory authorities, as we continue to assist clients in a variety of ways to help ensure compliance with these requirements.

Tags: CNIL, Cookies and other tracking technologies, France, guidelines, recommendations
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de MenesesEmail
Show more Show less
Photo of Nicholas Shepherd Nicholas Shepherd

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national…

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing laws, EU/UK direct marketing laws, emerging state privacy laws in the United States, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border data transfers, data breach response, artificial intelligence, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements on transparency, consent, lawful processing, data sharing, and related issues.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick now leverages his multi-faceted legal background and international experience from the U.S. to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Read more about Nicholas ShepherdEmail
Show more Show less