Complianz Privacy Suite

CNIL updated privacy guidelines

Leon Wimmenhoeve

Leon Wimmenhoeve


Popular articles

Records of Consent

Table of Contents Records of Consent is available in premium, from 4.9.2 onwards In the free plugin and our premium plugin below version 4.9.2 we

Read More

Integrations for WooCommerce

In this article, we will explain the many integrations available for your WooCommerce shop. We will look at specific questions in our wizard and configuring

Read More
Share on facebook
Share on twitter
Share on linkedin

While the much-anticipated ePrivacy Regulation seems to be postponed for some years, local EU Data Protection Authorities formulate their statements, which provide us with concrete guidelines on how to interpret current privacy legislation within the EU. Following the British ICO statement, France’s CNIL also offered an explanation regarding ePrivacy and cookies. While there are some differences between the ICO statement and CNIL’s, it is likely that other EU Data Protection Authorities will follow CNIL’s interpretation.

Complianz is keeping a close look at evolving privacy legislation in the EU, USA, Canada, and the UK. The Complianz plugin is kept up-to-date according to the newest developments, to provide our users with an updated privacy tool. Below we will state a brief summary of the most important and noteworthy statements form the CNIL statement.

1. Cookiewalls are a No-Go

Just like the ePrivacy Directive, CNIL states that consent has to be given freely. Cookie Walls are explicitly mentioned as not allowed as they prevent the user from accessing a website without consenting to (tracking) cookies. 

While Complianz never supported cookie walls, we have implemented a ‘soft cookiewall‘, that greys out the website before a user makes a choice regarding cookies. This solution is allowed because dismissing cookies is possible, and thus, free consent is respected.

2. Ask for consent per purpose

According to the CNIL statement, websites have to ask for consent per purpose. For example, when your website utilizes a Facebook pixel (which should be categorized as Marketing/Tracking) and Google Analytics (Statistics), you should ask separate consent for tracking and statistical cookies. A simple ‘yes/no’ or ‘accept all/essentials only’ choice is not sufficient in this case. Complianz allows you to set up a banner with categories easily.

3. Frequently update your Cookie Policy

CNIL states that websites should provide an exhaustive and regularly updated list of third parties that place or access cookies via a website. We already know this list as a required part of the Cookie Policy, but CNIL explicitly states that this list should be updated regularly.

The Complianz plugin scans your website following a weekly schedule while providing notice if it detects changes in used plugins or placed cookies. This way, you can review the changes before they are published to your Cookie Policy.

4. No implied consent

Consent for non-functional cookies must be actively given. This means that a visitor has to press an accept button to express consent actively. Also, pre-checked categories (other than functional) are not allowed. We still see a lot of websites using implied consent functions like ‘consent on scroll’ or consent on continued browsing. CNIL repeats that these forms of consent are not allowed.

5. The Website Administrator remains responsible

The first CNIL statement emphasized the responsibility of third parties that utilize tracking scripts. For example, the Google Fonts API requesting an IP address of the user would be the responsibility of Google. However, the EU court ruled that the website administrator remains responsible as a data controller, and has to regulate consent.

6. Also, report functional cookies

Cookies that are categorized as strictly functional or technical require no consent by the website visitor. However, they need to be listed in the above mentioned Cookie Policy. CNIL also emphasizes this requirement.

7. Statistical cookies

While the British ICO statement deviated from the draft ePrivacy Regulation by always requiring consent for statistical cookies (also when set-up privacy friendly), CNIL provides us with possibilities to gather statistics without the need to ask for consent. One of the conditions under which statistical scripts and cookies can be placed without consent is that it concerns first-party cookies, or when there is a processing agreement in place with the concerning third party. Another requirement is that these cookies can not be placed when the browser sends a ‘Do Not Track’ signal. 

CNIL also adds some further requirements for gathering statistics. The gathering of statistics may not proceed for any longer than 13 months and gathered data can not be stored any longer than 25 months.

Tip: If Google Analytics is the only tool that places/access statistical cookies, you could consider to set up Google Analytics privacy-friendly. This way, when following the guidelines provided by CNIL or the ones by the Dutch DPA, we are of the opinion that there is no need to ask for consent before firing the anonymized Analytics script, and you can suffice with only asking consent for tracking cookies.

Recent articles