CNIL Deliberation n° 2019-093 of 4 July 2019
In accordance with its action plan announced at the end of June (see our article here), the CNIL has just published guidelines on cookies and other tracking devices. This new text repeals the recommendation on cookies adopted by the CNIL more than six years ago – in 2013 – and should be supplemented at the beginning of 2020 by a more operational recommendation, after consultation with stakeholders from both the professional and civil spheres.
The CNIL states that the purpose of the guidelines is to remind of the applicable law, which has evolved with the entry into force of the GDPR. However, the primary statute governing cookies and other tacking devices remains Article 82 of the French data protection act (the “loi informatique et libertés”), implementing Directive 2002/58 into French law. It should be recalled that this directive is currently the subject of a reform which should lead to the adoption of the future “ePrivacy” Regulation, but the CNIL does not want to wait for this text.
This has already been announced, the main evolution compared to the 2013 recommendation concerns the consent to cookies. As the GDPR has strengthened the rules on the validity of consent, the CNIL, based on the EDPB guidelines on consent, now considers that:
- The mere “continuation of browsing” can no longer be a valid means of obtaining the consent of Internet users to cookies.
Consent will therefore have to be based on a clear positive act, allowing it to meet the unambiguousness requirement of the GDPR. Classically, the CNIL reminds that pre-checked boxes will not satisfy this criterion.
The CNIL also points out that the obligation to obtain unambiguous consent must not undermine the free nature of consent. Thus, “cookies walls”, i.e. mechanisms that completely block access to websites if Internet users do not accept the cookies, must be prohibited.
- Consents must be logged and be demonstrable
On this point, the CNIL simply states that organizations using cookies will have to implement the necessary mechanisms to constitute and preserve proof of consent obtained.
However, it specifies that when organizations exploit cookies on behalf of third parties, the mere presence of contractual clauses requiring them to obtain valid consent cannot satisfy – from the third party’s point of view – the obligation to retain evidence of consent.
The new guidelines clearly do not leave room for discussions on the possibility of using legitimate interest as a legal basis for the deposit of cookies.
Concerning information notices, the CNIL no longer mentions the famous “cookie banner”, but specifies that the information provided to Internet users should include at least: (i) the identity of the data controller(s); (ii) the purpose of the reading or writing operations; (iii) the existence of the right to withdraw consent.
The first point may be surprising. Indeed, the CNIL itself points out that the rules relating to cookies are independent from the fact that the data collected by these tools may be “personal data” within the meaning of the RGPD. However, if there are no “personal data”, there is no “data controller”.
In the vast majority of cases, however, the tracers will be used to collect personal data (IP address, cookie ID, terminal footprint, etc.). In these situations, the prior information provided to Internet users will have to be supplemented in order to comply with the GDPR and with the EDPB guidelines on consent.
Apart from these above points, the guidelines do not fundamentally differ from the 2013 recommendation and other CNIL communications related to cookies. For example, the new text includes a section dedicated to the “roles and responsibilities of the actors“, very abstract, and which does not (unfortunately) add to the CNIL’s publication on this theme dating from May 2017 (see here).
Finally, it can be noted that the CNIL is not changing its position regarding browsers settings – which, in its opinion, does not currently allow Internet users to express valid consent to cookies; and regarding audience measurement cookies – which must comply with very strict conditions to be exempt from prior consent.
The CNIL should now consult with stakeholders from both the professional and civil spheres, to draft a recommendation on the practical means for obtaining consent. The level of abstraction of the guidelines makes such a recommendation truly necessary. The recommendation will have to take into account the different sectors and businesses affected by the evolution of the rules on cookies.
As announced, the CNIL should allow for a transitional period, which will expire six months after the adoption of the future recommendation, during which professionals will have to become compliant with the new rules on consent.