On October 1, 2020, the French Supervisory Authority (“CNIL”) published the final version of its Guidelines on cookies and other tracking technologies (hereafter, “guidelines” – see announcement here, and guidelines here, in French), as well as an adjoining set of best practice recommendations (in French) with examples on how to implement the guidelines.  In this blog post, we summarize the key points mentioned in the CNIL’s guidelines.

The new version of the guidelines takes into account contributions submitted by various stakeholders during the public consultation period for both documents, as well as a recent decision of the French Council of State regarding a prior version of the guidelines.

The CNIL indicates that these guidelines and recommendations apply to any technologies used to collect data from terminal equipment (including computers, tablets, smartphones, gaming consoles, connected TVs, connected vehicles and voice assistants), and specify when such technologies can be used.  According to the CNIL, these guidelines and recommendations do not apply to the processing of personal data collected using cookies, which has to comply with the EU General Data Protection Regulation (“GDPR”).

Below, we summarize some key takeaways regarding certain topics covered in the CNIL’s guidelines and best practice recommendations.

  • Cookie walls: The lawfulness of cookie walls has to be assessed on a case-by-case basis.  However, the service provider should clearly inform users about the consequence of accepting or refusing cookies.  For example, users should be informed about the impossibility of accessing the service if they refuse cookies.
  • Consent:
    • Granular consent: Requesting one consent for cookies used for different purposes may result in “consent bundling”, which affect may render the consent obtained invalid.
    • Specific consent: The acceptance of general terms and conditions does not constitute a valid consent for the deployment of cookies.
    • Informed: Consent must be preceded by clear, simple, up-to-date, prominent and easily accessible information about the identity of the party(-ies) deploying the cookie(s), the purpose(s) of the cookies, how to accept/refuse cookies, the consequences of refusing cookies, and the right to withdraw consent.
    • Affirmative actions: Pre-ticked boxes or relying on the continued use of a service (e.g., a website) do not constitute a valid consent, as they do not entail an affirmative action on the part of the individual to demonstrate agreement to the processing.
    • Proof of consent: Consent must be documented and kept on record.
    • Withdraw consent: Users should be able to withdraw consent at any time. It should be easy to withdraw consent.
  • Responsibility:
    • Main responsibility: It is the responsibility of the party providing services to the user to ensure it has implemented a compliant consent management tool that enables third parties to lawfully deploy cookies through that service.
    • Joint responsibility: If the service provider and third party deploying cookies jointly determine the means and the purposes of the cookies, then they are jointly responsible for ensuring compliance with the cookie rules.
  • Browser settings: Service providers cannot require users to grant consent or withdraw consent through browser settings, which currently do not meet the consent standard of the GDPR.
  • Cookies with two purposes: If a cookie has two purposes and consent is required for one of them, then consent must be obtained before deploying such a cookie.
  • Examples of cookies exempt from consent:
    • cookies for the sole purpose of carrying out the transmission of a communication over an electronic communications network;
    • cookies that are strictly necessary in order to provide an information society service explicitly requested by the user;
    • cookies that remember the consent/refusal of cookies;
    • authentication cookies;
    • cookies used to remember products/services added to the “shopping cart” and used for the payment process;
    • cookies to personalize the user interface (including the language and how the service is presented), where the personalization is an intrinsic part of the service;
    • load-balancing cookies;
    • cookies that enable services or content requiring payment to limit free access to content (after a predefined quantity of “free views” or time period); and
    • first-party analytics cookies that collect data converted into anonymous statistics strictly necessary for performance measurement, detection of navigation problems, optimization of technical performance or ergonomics, assessing the required server capacity, analysis of the content consulted and other similar purposes.  Such analytics cookies may not generate transmissions of data to third parties.

In terms of its plans for the future, the CNIL announced that it will start enforcing these cookie rules as of April 2021.  We will continue to monitor guidelines and statements on cookies issued by the CNIL and other supervisory authorities, as we continue to assist clients in a variety of ways to help ensure compliance with these requirements.