On January 14, 2020, the French Supervisory Authority (“CNIL”) published a new draft guidance on the use of cookies and similar technologies on websites and applications (see here, in French).  The draft guidance is open for public consultation until February 25, 2020.

In its nine articles, the guidance sets out how to properly inform users and collect their consent in this context.  For each requirement, the guidance provides examples and best practices.

According to Article 2 of the guidance, websites and applications should provide users with clear and intelligible information about the purposes of the cookies—including, if necessary, through layered notices.  The CNIL recommends:

  • listing each purpose with a short and prominent title (e.g., bold and/or underlined) that is accompanied by a brief description of the purpose;
  • providing this information in the cookie banner or panel; and
  • providing more detailed information about the purposes through a scroll-down feature or in a separate (second) screen that is easily accessible from the consent collection interface (e.g., through a link).

Websites and applications should also provide information to users regarding the identity of the controller and the scope of the consent.  In particular, the CNIL recommends:

  • in case of multiple controllers, providing an exhaustive and up-to-date list of controllers, which should be permanently and easily accessible;
  • providing easy access to the identity of the controller(s) and a link to their webpage(s) (e.g., through a link to the “list of entities using cookies or similar technologies on our website or application” in the consent collection interface);
  • requesting new consent in case of substantial changes to this list; and
  • informing users whether their consent will allow the tracking of users’ browsing behavior across different websites and/or applications and, if that is the case, the names of those websites and/or applications.

Articles 3 to 7 provide specific guidance on obtaining the user’s consent.  These articles echo the GDPR, emphasizing that consent must be:

  • freely given;
  • specific to the purpose;
  • indicated through an affirmative and clear action by the individual;
  • easy to withdraw at any time; and
  • documented.

According to the guidance, all of the following criteria must be satisfied for consent to be “freely given”:

  • users must be given the possibility to consent to or refuse cookies;
  • it must be as easy to grant consent as to withdraw it;
  • if a user refuses cookies, this choice should be recorded for as long as the user’s consent to allow cookies would be recorded;
  • users may be given the possibility to decide on consent at a later time, in which case no cookies or similar technologies should be deployed until the user has given his or her consent; and
  • websites and applications should not nudge users to give their consent.

The guidance states that users should only be offered the possibility to consent to all cookies at once if they are also offered the possibility to consent to specific cookies per purpose and to refuse all cookies at once.

Pursuant to the guidance, the feature to withdraw consent should be permanently available on websites and applications—for example, in an area of the website or application that draws the user’s attention or where the user would expect to find it.

A website or application should keep evidence of the user’s consent obtained and of the consent interface used.

The guidance also clarifies that a website or application that is collecting consent for multiple websites or applications should provide a list of those websites and applications.  This list may be made available to users through a link in the consent collection interface.