Communication of the CNIL on its website: https://www.cnil.fr/fr/ciblage-publicitaire-en-ligne-quel-plan-daction-de-la-cnil
One month after the GESTE outlined the main points on its website (see our article), the CNIL formalizes its action plan to revise its recommendations on cookies and gives some very important details.
First of all, the CNIL is updating its work schedule. The first step is imminent as it is set for July 2019. It will consist in the repeal by the CNIL of its 2013 recommendation on cookies and the simultaneous publication of guidelines “recalling the applicable legal rules” since the entry into force of the GDPR.
In substance, the CNIL states that continuing browsing a website after having been presented with a “cookie banner” can no longer constitute a valid expression of consent. This substantive development is justified by the protection authority on the grounds that the GDPR has strengthened the rules for the validity of consent (which must be free, specific, informed and unambiguous) and also that the G29 guidelines on consent have expressly banned the continuation of the browsing as a method of obtaining consent.
This very important change compared to the 2013 recommendation will be formally incorporated in the guidelines announced by the CNIL as of July 2019. However, the CNIL indicates on its website that it will leave stakeholders a transitional period of 12 months (i.e. normally until July 2020), so that they have time to comply with the new principles that diverge from the previous recommendation on cookies and other tracking devices. During this transition period, the continuation of the browsing would therefore be considered by the CNIL as an acceptable expression of consent.
In a second step, the CNIL will consult with professionals in the sector in order to draw up a new recommendation on the practical modalities for obtaining consent, which will be submitted to public consultation around the end of 2019 or early 2020.
In its communication, the CNIL finally clearly confirms its willingness to move forward without waiting for the adoption of the ePrivacy regulation, which, according to the authority, will not enter into force in the short term.
The determination currently shown by the CNIL should encourage stakeholders in the industry to quickly review their mechanisms for managing cookie consent. On this point, it is interesting to notice that the CNIL has adopted a very strict position for its own site by deleting its cookie banner and not placing any tracking device until Internet users have given their consent by going to the cookie management module.
It should be noted that the militant association “La Quadrature du Net”, declared that it would challenge, before the Conseil d’Etat, the CNIL’s decision to grant an additional 12-month leniency period following the upcoming guidelines, while the GDPR already gave data controllers and processors a 24-month period to comply with the new rules on consent.
