Publications

Cookies and other trackers: new guidelines and recommendations from the CNIL

Publié le 14 March 2023

In a context where the e-Privacy Regulation is still in draft form and its entry into force remains uncertain, the CNIL is pursuing its desire to provide practical solutions for the supervision of cookies. This project was initiated in 2013 with “recommendations” on cookies and other tracking devices, which would be replaced by guidelines in 2019 to take into account the application of the General Data Protection Regulation (GDPR). Then, in its action plan on advertising targeting, the CNIL updated the latter by adopting, on October 01, 2020:

ul>

  • New “guidelines”that draw the consequences of the decision of the French Council of State of June 19, 2020 and set out the new applicable legal framework with which organizations must comply by March 31, 2021.
  • The “recommendations”, which complement these guidelines by offering examples and practical ways to guide actors towards compliance when using “cookies and other trackers”.
  • A cookie is a small file deposited on the terminal of the Internet user, during the consultation of certain websites, and retains information on it for a later connection. Its use is regulated by Article 82 of the French Data Protection Act which transposes into French law Article 5.3 of the Privacy and E-Communciations Directive 2002/58/EC better known as “ePrivacy[1]”.

    This article in this case provides that:

    ” Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless previously informed, by the data controller or its representative, of:

    1. The purpose of any action tending to access, by electronic transmission, information already stored in his/her electronic communications terminal equipment, or to write information in this equipment;

    2° The means available to him/her to oppose it.These accesses or registrations may only take place on condition that the subscriber or user person has expressed, after having received this information, his/her consent, which may result from appropriate settings of his/her connection device or any other device under his/her control.”Article 82

    The terms “cookies and other trackers” now encompasses all devices with the same purpose as a cookie (http cookies, flash cookies, fingerprinting, web beacons or web bugs, software or operating system identifiers, etc.) and likely to be covered by Article 82 . This article applies regardless of whether the data concerned is personal or not. Where applicable, the provisions of GDPR will apply in addition to those of this article.

    In summary, the provisions of Article 82 require that users be informed and consented to before any writing or reading of cookies and other trackers (with some exceptions).

    1. What information must be provided to users?

    According to the provisions of Article 82, the duty to inform is incumbent on the data controller or its representative. Because of their direct contact with users, they are in a better position to inform them of the information related to the deposited trackers and to collect their consent. Therefore, website or mobile application publishers and third parties[2] that use trackers on a service published by another organization are considered as data controllers within the meaning of the guidelines if they act on their own behalf.

    1) Information content:

    In order to provide clear and precise information on the use of trackers, the Commission recommends indicating the identity, the number of data processors and their roles at the first level of information, through a hyperlink or a button accessible from this level. By grouping the organizations by category and according to the purpose of the trackers used, this information can be materialized in the form of a list that must be kept up to date on a regular basis and can be placed in areas of the screen that are easily identifiable by the user and for the duration of browsing.

    The second level of information relates to the purpose of the trackers, the principle being that users must give their consent in a specific way, i.e. they must have the possibility of giving their consent to each purpose separately. Therefore, the information related to each purpose must be communicated to them before their consent is collected.

    As far as consent is concerned, users must be informed of the way in which they can accept or refuse to accept trackers, the consequences of doing so and the existence of their rights, in particular the right to withdraw their consent.

    2) The form of the information:

    In practice, the CNIL proposes the provision of information relating to the purpose of the trackers in two phases. First, it proposes that the list of purposes be displayed on a first screen and that each purpose be “highlighted in a short and prominent title, accompanied by a brief description” as illustrated in the table below:

    Purpose(s) pursued

    ———————————————

    Trackers used to display personalized advertising.

    Formulation(s) in accordance with the applicable rules

    ———————————————————————————————–

    Personalized advertising: [name of website / application] [andthird party companies / our partners] uses/use trackers to display personalized advertising based on your browsing and profile.”

    Secondly, the CNIL recommends that a more detailed description of the purposes be put in place, in a way that is easily accessible to the user from the interface for collecting consent. This information can be displayed, at the first level of information, through a drop-down button that the user can activate directly, or through a hypertext link.

    In addition, in order to provide users with all the necessary information related to the use of cookies and other trackers, the publisher of a website may provide users with a configuration setting module that can be accessed on all pages of the site by means of a static “cookie” icon that is always visible or a hypertext link located at the bottom or top of the page.

    Similarly, the Commission encourages the development of standardized interfaces, operating in the same way and using a standardized vocabulary, in order to make it easier for users to understand and to obtain their valid consent.

    2. How to validly collect the consent of users in the event of recourse to “cookies and other trackers?

    Data controllers must ensure that a mechanism is in place to obtain the consent of users before the trackers are deposited. Similarly, user consent must be obtained on each of the sites concerned, when the tracking of browsing goes beyond the perimeter where the trackers were initially deposited.

    The obligations set forth in the consent guidelines must be read in light of the articles of GDPR relating to consent[3].

    In summary, to be valid, consent must be given freely, specifically, knowledgeably and unambiguously by a clear affirmative statement or act.

    Free consent implies that the data subject will not suffer major disadvantages in case of absence or withdrawal of consent. The principle is that the user must have real freedom of choice when giving consent. Under these conditions, the CNIL considered, in its first guidelines, that the use of “cookie walls”, i.e. the practice of blocking the user’s access to a website or a mobile application if he does not accept cookies, was therefore prohibited. Following a request, the Council of State declared the partial annulment of the CNIL’s guidelines, in particular the prohibition of the use of “cookie walls”. In fact, the Council of State ruled that the CNIL’s interpretation was too restrictive, and that the CNIL did not have the required competence to pronounce such a restriction. This decision led the Commission to revise its position in its new guidelines. It now maintains that the use of “cookie walls” is likely to infringe, in certain cases, on the freedom of consent and, consequently, in the event of the implementation of a “cookie wall”, the information provided to the user must clearly indicate the consequences of their choices and, in particular, the impossibility of accessing the content or the service in the absence of consent.

    It is also likely to undermine the user’s freedom of choice and the specific nature of consent, within the meaning of the new guidelines and in accordance with Article 43 of GDPR, if a single consent is collected simultaneously for several distinct purposes (purpose matching) without giving the user the possibility of accepting one purpose per purpose.

    In practice, in order to ensure that consent is freely given, the Commission recommends that users be asked for their consent independently and specifically for each distinct purpose. This does not, however, prevent the possibility of offering users to give their consent in a global manner, provided that they are presented with all the purposes in advance.

    In concrete terms, it is recommended to include, in the first level of information, buttons entitled “accept all” and “reject all”, “I authorize” and “I do not authorize”, “I accept all” and “I do accept none”, allowing users to consent to or reject, in a single action, several purposes.

    At the same level of information, a “personalize my choices” or “decide by purpose” button would allow users to accept or refuse purpose by purpose by clicking, for example, on each purpose so that a drop-down menu offers them “accept” or “reject” buttons.

    However, comprehensive acceptance of the general terms and conditions of use does not fulfill the specific character of consent and is therefore not allowed under the new guidelines.

    Informed consent presupposes that the information is written in simple, clear and understandable terms: overly complex legal or technical terminology or a simple reference to the general terms of use are therefore not authorized. The Commission considers that the following information should at least be communicated to users: the identity of the controller(s); the purpose of the data reading or writing operations; the existence of the right to withdraw consent. (see above)

    On the other hand, the information must be easily accessible for the user. In this respect, the CNIL recommends, for example, the use of headings and drop-down menus to make it easier for the person concerned to find the information.

    Unambiguous consent requires positive action by the person who has been informed of the consequences of their choice and has the means to exercise it: simply continuing to browse, using an application or scrolling through a website do not, according to the CNIL, constitute “clear positive actions that can be assimilated to valid consent”. The same goes for the opt-out (the use of pre-ticked boxes[4]) or a comprehensive acceptance of the general conditions of use.

    The Commission recommends the use of opt-in checkboxes (unchecked by default) or the use of “slider” switches, deactivated by default. On the condition that the choice expressed by the users is easily identifiable and that the information is easily understandable. In other words, it must not require an effort of concentration on the part of the user and the rapid reading of the information on his part must not mislead them in their choices.

    Furthermore, as in its first guidelines, the CNIL reiterates its position that user consent cannot be obtained through browser settings, which, according to the Commission, “cannot, given the state of the art, allow the user to express valid consent. It is therefore recommended that organizations use a preference management tool.

    3. How can organizations prove the collection of consent?

    In accordance with GDPR, organizations must be able to prove the user’s consent to cookies and other trackers, and be able to provide it at any time, whether it is a direct or indirect collection. In the case of indirect collection, the mere presence of a contractual obligation[5] to obtain the user’s consent imposed on the other party does not constitute sufficient proof. It must provide that the organization collecting the consent must also make the evidence of that consent available to the other parties.

    In order to satisfy the requirement for proof of the validity of consent, the Commission recommends, among other things, the following non-exclusive procedures:

    • The various versions of the computer code used by the consent-gathering organization can be escrowed with a third party, or, more simply, a digest (or “hash”) of that code can be published in a time-stamped manner on a public platform, so that its authenticity can be proven after the fact;
    • A screenshot of the visual rendering displayed on a mobile or fixed terminal can be kept, time-stamped, for each version of the site or application;
    • Regular audits of the mechanisms for collecting consent implemented by the sites or applications from which it is collected may be implemented by third parties mandated for this purpose;
    • Information about the tools implemented and their successive configurations (such as consent collection solutions, also known as CMP, for “Consent Management Platform”) may be kept, time-stamped, by the third parties publishing these solutions.

    With regard to the length of time the user’s choices are kept, the Commission considers that a period of 6 months (acceptance or refusal) constitutes good practice. It is therefore recommended to renew the collection of the user’s consent at the end of this period.

    4. How can the user refuse or withdraw consent?

    The expression of the user’s refusal must not require any action on their part or must be able to be translated by an action presenting the same degree of simplicity as that allowing to express their consent.

    This can be done by using the “reject all” button next to the traditional “accept all” button, or by allowing the user to click on “continue without accepting” to express their refusal to deposit and read cookies. At this stage, the CNIL prohibits any practice that aims to enhance one choice more than another or to make the user understand in an implicit way that the use of the services is conditioned by the acceptance of cookies.

    Refusal can also be materialized by the absence of choice or action on the part of the user. In this case, the terms of the refusal must be clearly indicated to the user so that they know that closing the pop-up window or continuing to browse will result in a refusal of the trackers. Where appropriate, the Commission recommends that the message requesting the user’s consent (the window or banner, for example) disappear after a short period of time, so as not to hinder the user’s browsing or make their browsing comfort conditional on expressing consent to the tracking.

    Furthermore, according to Article 7.3 of GDPR, it must be as easy to withdraw consent as to give it. Users who have given their consent to the use of trackers must be able to withdraw it simply and at any time. In other words, withdrawing consent should not require considerable time or action on the part of the user.

    In order to allow users to easily access the mechanism for managing and withdrawing their consent, the Commission recommends the use of a “cookie management module” icon,
    “manage my cookies” or “cookies”, which can be placed at the bottom left of the screen and which visually attracts the user’s attention.

    It also recommends that organizations allow for the effective management of the withdrawal of consent by putting in place solutions that guarantee that previously used trackers are not read or written.

    5. Which trackers do not require consent?

    The provisions of Article 82 of the French Data Protection Act are not applicable if: “access to information stored in the user’s terminal equipment or the recording of information in the user’s terminal equipment: 1. Either, has the exclusive purpose of enabling or facilitating communication by electronic means; 2. Or, is strictly necessary for the provision of an online communication service at the express request of the user[6].” Trackers that fall under the two categories listed above and as described in Article 5 of the new guidelines are exempt from consent collection. In order to fulfill their transparency obligation, the Commission recommends that organizations keep users informed (including through their privacy policies) of the existence of such trackers and their purposes. The Commission also recommends that these cookies be used only for a single purpose, so that the absence of user consent has no effect on the use of cookies necessary for browsing. With respect to the audience measurement trackers exempted from the collection of consent, the CNIL recommends that:
    • Users should be informed of the implementation of these trackers, for example via the privacy policy of the site or mobile application;
    • The lifespan of the trackers should be limited to a duration that allows for a relevant comparison of audiences over time, such as a duration of thirteen (13) months, and that it should not be automatically extended on new visits;
    • Information collected through these trackers be retained for a maximum of twenty-five (25) months;
    • The aforementioned lifetimes and retention periods be subject to periodic review.

    Cheikh NDIAYE

    Footnotes

    [1] Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation of Privacy and Electronic Communications)

    [2] CJEU, Jul. 29, 2019, Case C-40/17, Fashion ID GmbH & Co KG v. Verbraucherzentrale NRW eV, the publisher of the website or mobile application and the third party depositing the trackers are deemed to be joint controllers insofar as they jointly determine the purposes and means of the read and write operations on the users’ terminal equipment.

    [3]Articles 4 (11) and 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

    [4] Planet 49 decision of 1 October 2019 (CJEU, Oct. 1, 2019, C-673/17).

    [5]The Council of State ruled, in its decision of June 6, 2018, that the obligations of a website publisher include ensuring that its partners do not use the publisher’s website to transmit data that does not comply with the regulations applicable in France, and that it must take all necessary steps to put an end to any breaches.

    [6]Council of State, 10th – 9th joint chambers, 06/06/2018, 412589, Published in the Recueil Lebon, the fact that a tracker is necessary for the economic viability of the service does not imply that it is “strictly necessary for the provision of a service expressly requested by the user.”