On January 14, 2020, the French Supervisory Authority (“CNIL”) published a new draft guidance on the use of cookies and similar technologies on websites and applications (see here, in French).  The draft guidance is open for public consultation until February 25, 2020.

In its nine articles, the guidance sets out how to properly inform users and collect their consent in this context.  For each requirement, the guidance provides examples and best practices.

According to Article 2 of the guidance, websites and applications should provide users with clear and intelligible information about the purposes of the cookies—including, if necessary, through layered notices.  The CNIL recommends:

  • listing each purpose with a short and prominent title (e.g., bold and/or underlined) that is accompanied by a brief description of the purpose;
  • providing this information in the cookie banner or panel; and
  • providing more detailed information about the purposes through a scroll-down feature or in a separate (second) screen that is easily accessible from the consent collection interface (e.g., through a link).

Websites and applications should also provide information to users regarding the identity of the controller and the scope of the consent.  In particular, the CNIL recommends:

  • in case of multiple controllers, providing an exhaustive and up-to-date list of controllers, which should be permanently and easily accessible;
  • providing easy access to the identity of the controller(s) and a link to their webpage(s) (e.g., through a link to the “list of entities using cookies or similar technologies on our website or application” in the consent collection interface);
  • requesting new consent in case of substantial changes to this list; and
  • informing users whether their consent will allow the tracking of users’ browsing behavior across different websites and/or applications and, if that is the case, the names of those websites and/or applications.

Articles 3 to 7 provide specific guidance on obtaining the user’s consent.  These articles echo the GDPR, emphasizing that consent must be:

  • freely given;
  • specific to the purpose;
  • indicated through an affirmative and clear action by the individual;
  • easy to withdraw at any time; and
  • documented.

According to the guidance, all of the following criteria must be satisfied for consent to be “freely given”:

  • users must be given the possibility to consent to or refuse cookies;
  • it must be as easy to grant consent as to withdraw it;
  • if a user refuses cookies, this choice should be recorded for as long as the user’s consent to allow cookies would be recorded;
  • users may be given the possibility to decide on consent at a later time, in which case no cookies or similar technologies should be deployed until the user has given his or her consent; and
  • websites and applications should not nudge users to give their consent.

The guidance states that users should only be offered the possibility to consent to all cookies at once if they are also offered the possibility to consent to specific cookies per purpose and to refuse all cookies at once.

Pursuant to the guidance, the feature to withdraw consent should be permanently available on websites and applications—for example, in an area of the website or application that draws the user’s attention or where the user would expect to find it.

A website or application should keep evidence of the user’s consent obtained and of the consent interface used.

The guidance also clarifies that a website or application that is collecting consent for multiple websites or applications should provide a list of those websites and applications.  This list may be made available to users through a link in the consent collection interface.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.