Last updated: March 2021
Source: Questions-réponses sur les lignes directrices modificatives et la recommandation « cookies et autres traceurs » de la CNIL (March 18th 2021)
While the much-anticipated ePrivacy Regulation seems to be postponed for some years, local EU Data Protection Authorities formulate their statements, which provide us with concrete guidelines on how to interpret current privacy legislation within the EU. Following the British ICO statement, France’s CNIL also offered an explanation regarding ePrivacy and cookies. Although there are some differences between the ICO statement and CNIL’s, it is likely that other EU Data Protection Authorities will follow CNIL’s interpretation.
Complianz is keeping a close look at evolving privacy legislation in the EU, USA, Canada, and the UK. The Complianz plugin is kept up-to-date according to the newest developments, to provide our users with an updated privacy tool. Below we will state a brief summary of the most important and noteworthy statements from the CNIL in the most recent years (2019, 2020 and 2021). The guidelines of July 4, 2019 were notably adjusted to take into account the decision of the Council of State of June 19, 2020.
1. Cookiewalls are a No-Go
Just like the ePrivacy Directive, CNIL states that consent has to be given freely. Cookie Walls are explicitly mentioned as not allowed as they prevent the user from accessing a website without consenting to (tracking) cookies.
Although Complianz never supported the use of cookie walls for the EU and the UK, we have implemented a ‘soft cookiewall‘, that greys out the website before a user makes a choice regarding cookies. This solution is allowed because dismissing cookies is possible, and thus, free consent is respected.
2. Ask for consent per purpose
According to the CNIL, websites have to ask for consent per purpose. For example, when your website utilizes a Facebook pixel (which should be categorized as Marketing/Tracking) and Google Analytics (Statistics), you should ask separate consent for tracking and for the statistical purpose. A simple ‘yes/no’ or ‘accept all/essentials only’ choice is not sufficient in this case. The CNIL emphasizes that it is not necessary to indicate, on the banner, all the details of the purpose. A more detailed description of the purposes can be made available to the user via a hypertext link made available at the first level of information.
4. No implied consent
Consent for non-functional cookies must be actively given. This means that a visitor has to press an accept button to express consent actively. Also, pre-checked categories (other than functional) are not allowed. We still see a lot of websites using implied consent functions like ‘consent on scroll’ or consent on continued browsing. CNIL repeats that these forms of consent are not allowed.
5. The Website Administrator remains responsible
The first CNIL statement emphasized the responsibility of third parties that utilize tracking scripts. For example, the Google Fonts API requesting an IP address of the user would be the responsibility of Google. However, the EU court ruled that the website administrator remains responsible as a data controller, and has to regulate consent.
6. Also, report functional cookies
7. Statistical cookies
While the British ICO statement deviated from the draft ePrivacy Regulation by always requiring consent for statistical cookies (also when set-up privacy friendly), CNIL provides us with possibilities to gather statistics without the need to ask for consent. One of the conditions under which statistical scripts and cookies can be placed without consent is that it concerns first-party cookies, or when there is a processing agreement in place with the concerning third party. Another requirement is that these cookies can not be placed when the browser sends a ‘Do Not Track’ signal.
CNIL also adds some further requirements for gathering statistics. The gathering of statistics may not proceed for any longer than 13 months and gathered data can not be stored any longer than 25 months.
Tip: If Google Analytics is the only tool that places/access statistical cookies, you could consider to set up Google Analytics privacy-friendly. This way, when following the guidelines provided by CNIL or the ones by the Dutch DPA, we are of the opinion that there is no need to ask for consent before firing the anonymized Analytics script, and you can suffice with only asking consent for tracking cookies.
8. Provide a ‘Reject all’ button
The CNIL considers that the integration, at the stage of the first level of information for the Internet user, of a button “reject all”, at the same level and with the same aspect as the button “accept all”, constitutes a clear and simple way to allow the user to express his choices, or failing that, another solution (such as a button “Functional only”) making it possible to refuse as easily as to accept must be presented to the Internet user.