The CNIL is going to revise its recommendations on cookies

Communication of the GESTE on its website: http://www.geste.fr/activites/cnil-annonces-et-calendrier

Since entry into force of the GDPR, much of the attention has focused on cookies. However, even if they allow the processing of personal data that are subject to the GDPR, the specific rules on the use of cookies are based on another piece of European regulation: the “E-Privacy” directive, which is currently undergoing reform and will also be transformed into a regulation (the future “E-Privacy regulation”).

This is why the CNIL had indicated that its recommendation on cookies, dating from 2013, was still relevant after the GDPR. However, the online advertising industry has nevertheless taken the lead and thought about new mechanisms for informing and managing Internet users’ consent (in particular by adopting the famous “CMP” – “Cookies Management Platforms”).

While the future “E-Privacy” regulation is still discussed (see below), the CNIL has finally announced to several professional organizations (GESTE, SRI, IAB, UDM, UDECAM, FEVAD, SNCD, MMA, ARPP and AACC) that it is currently working on revising its recommendations on cookies.

Here is the work schedule provided by the CNIL:

–     May – June 2019: update of the 2013 recommendation to take into account the GDPR;

–     June – Sept 2019: working group with stakeholders to test the operational coherence of future guidelines;

–     November 2019 : review of the work ;

–     End of 2019 – Beginning of 2020: publication of new guidelines for cookies ;

–     June – July 2020: end of the tolerance period, actors must comply with the rules resulting from the new guidelines.

What the CNIL does not specify is whether updating the 2013 recommendation with the GDPR will only be “cosmetic” or will already lead to substantive changes. However, the CNIL’s announcement confirms that, as it stands, the recommendation is still applicable.

Above all, there is no mention of the future E-Privacy regulation. Originally, this regulation was intended to come into application on 25 May 2018 – at the same time as the GDPR. However, the legislative procedure has been significantly delayed. While the first draft was presented on 10 January 2017 by the European Commission and adopted after amendment on 26 October of the same year by the European Parliament, it has since then been under discussion within the Council of Europe, which published yet another version on 13 March 2019. The trilogue will then have to conduct its work and agree on a final text. Consequently, the entry into force of the E-Privacy Regulation is not expected before the end of 2020-the beginning of 2021 at the earliest, it being specified that this text should provide for a transitional period postponing its entry into application by one or two years.

Hence, the CNIL’s timetable seems difficult to reconcile with that of the European institutions, so that future guidelines on cookies should not incorporate the new regulations. This seems curious and will bring legal uncertainty since the guidelines will necessarily have to be modified shortly after their publication.