While the much-anticipated ePrivacy Regulation seems to be postponed for some years, local EU Data Protection Authorities formulate their statements, which provide us with concrete guidelines on how to interpret current privacy legislation within the EU. Following the British ICO statement, France’s CNIL also offered an explanation regarding ePrivacy and cookies. While there are some differences between the ICO statement and CNIL’s, it is likely that other EU Data Protection Authorities will follow CNIL’s interpretation.
Complianz is keeping a close look at evolving privacy legislation in the EU, USA, Canada, and the UK. The Complianz plugin is kept up-to-date according to the newest developments, to provide our users with an updated privacy tool. Below we will state a brief summary of the most important and noteworthy statements form the CNIL statement.
1. Cookiewalls are a No-Go
Just like the ePrivacy Directive, CNIL states that consent has to be given freely. Cookie Walls are explicitly mentioned as not allowed as they prevent the user from accessing a website without consenting to (tracking) cookies.
While Complianz never supported cookie walls, we have implemented a ‘soft cookiewall‘, that greys out the website before a user makes a choice regarding cookies. This solution is allowed because dismissing cookies is possible, and thus, free consent is respected.
2. Ask for consent per purpose
According to the CNIL statement, websites have to ask for consent per purpose. For example, when your website utilizes a Facebook pixel (which should be categorized as Marketing/Tracking) and Google Analytics (Statistics), you should ask separate consent for tracking and statistical cookies. A simple ‘yes/no’ or ‘accept all/essentials only’ choice is not sufficient in this case. Complianz allows you to set up a banner with categories easily.
4. No implied consent
Consent for non-functional cookies must be actively given. This means that a visitor has to press an accept button to express consent actively. Also, pre-checked categories (other than functional) are not allowed. We still see a lot of websites using implied consent functions like ‘consent on scroll’ or consent on continued browsing. CNIL repeats that these forms of consent are not allowed.
5. The Website Administrator remains responsible
The first CNIL statement emphasized the responsibility of third parties that utilize tracking scripts. For example, the Google Fonts API requesting an IP address of the user would be the responsibility of Google. However, the EU court ruled that the website administrator remains responsible as a data controller, and has to regulate consent.
6. Also, report functional cookies
7. Statistical cookies
While the British ICO statement deviated from the draft ePrivacy Regulation by always requiring consent for statistical cookies (also when set-up privacy friendly), CNIL provides us with possibilities to gather statistics without the need to ask for consent. One of the conditions under which statistical scripts and cookies can be placed without consent is that it concerns first-party cookies, or when there is a processing agreement in place with the concerning third party. Another requirement is that these cookies can not be placed when the browser sends a ‘Do Not Track’ signal.
CNIL also adds some further requirements for gathering statistics. The gathering of statistics may not proceed for any longer than 13 months and gathered data can not be stored any longer than 25 months.
Tip: If Google Analytics is the only tool that places/access statistical cookies, you could consider to set up Google Analytics privacy-friendly. This way, when following the guidelines provided by CNIL or the ones by the Dutch DPA, we are of the opinion that there is no need to ask for consent before firing the anonymized Analytics script, and you can suffice with only asking consent for tracking cookies.