On October 26, 2011, the French Data Protection Authority, the CNIL, published guidance on the implementation of the new cookie rules arising from the amendments to the EU e-Privacy Directive 2002/58/EC (the “Directive”). The new cookie rules have been implemented into French national law via the ordinance of August 24, 2011, relating to electronic communications (the “Ordinance”).
Under the old rules, companies offering websites, mobile applications and other online offerings had to inform users that cookies were utilized and to supply them with information as to how to “opt-out” if the users objected to the cookie being created on their devices. Companies would often incorporate this information into the website’s main privacy statement.
According to the new rules, it is not permitted to deploy cookies (i) without the user’s prior consent (“opt-in”), and (ii) without the user having been provided with clear and comprehensive information about the cookies. Apart from suggesting in the interpretative language of the Directive that browser settings might be used to obtain a user’s consent, the Directive does not specify how these requirements should be met. Instead, the interpretation of the rules is left for individual member states.
The CNIL guidance seeks to clarify the key concepts of the new rules on cookies in several aspects:
1. Definition of cookie. The CNIL defines “cookie” broadly to include technology related to cookies, such as document object models and other web storage areas and flash cookies.
2. Obtaining consent. The CNIL follows the footsteps of other European regulators by stating that current browser settings are not mature enough to obtain valid consent. Because consent must be specific, browser settings that accept all cookies without making any distinction between the different purposes for which the cookies may be deployed cannot be deemed to constitute a valid prior consent. In addition, the CNIL rejects the notion that companies could use a single “take-it-or-leave-it” document such as terms of service to collect valid consent for each type of cookie.
Instead, the CNIL provides a variety of options for obtaining valid consent, such as inserting a banner on top of a webpage (along the lines appearing on the website of the UK Data Protection Commissioner), superimposing an area of application for consent on the webpage and requiring the user to tick boxes when registering for an online service. On the other hand, the CNIL recommends that pop-up windows for seeking consent are avoided because they are often blocked by the user’s browser.
The CNIL also states that it is sufficient to obtain the user’s consent once – for example, if a user has accepted a third party cookie originating from an advertising agency used for behavioural advertising, such consent will be valid with respect to each website where the same cookie is deployed by the advertising agency.
4. Responsibility for compliance. The guidance spells out that it is the responsibility of the website operator to comply with the notice and consent requirements when the site allows a third party to place a cookie on the website user’s computer. Therefore, the CNIL recommends that the obligations of each party are made clear in a written agreement between the website operator and the third party deploying the cookies via the website.
Parties found guilty of infringing provisions of the Ordinance are liable for an administrative fine of up to €300,000. However, the CNIL will take into account the efforts of the website operator to make its site compliant in case of a complaint.