The French Data Protection Authority (“CNIL”) published yesterday its amended Guidelines and its final Recommendation on the use of cookies and other trackers, marking a “turning point both for the online advertising sector and for internet users, who will now be able to exercise better control over online trackers”.
The Amended Guidelines
Following the Conseil d’État’s decision of 19 June 2020, which ruled that CNIL’s outright ban on cookie walls (i.e. a pop-up notice that restricts access to a website or a mobile app until the user consents to the use of cookies and other trackers) cannot legally be included in the CNIL Guidelines on cookies and other trackers, the CNIL had to adjust its Guidelines to take into account the Council of State’s decision.
The new Guidelines now take a softer approach towards cookie walls: while not banning cookie walls altogether, the CNIL emphasizes that cookie walls are likely to undermine the freedom of users to consent. Their lawfulness must be assessed on a case-by-case basis. In any event, if a cookie wall is used, the information provided to the user must clearly indicate the consequences of his choices and, in particular, the impossibility of accessing the content or service without consent.
The Guidelines also provide, inter alia, the following:
- Navigation of a website does not constitute valid consent under the GDPR, as consent must involve a clear affirmative action by the user;
- Refusing the use of cookies or other trackers must be as easy as consenting to their use; and
- Users must be able to withdraw consent at any time.
The Recommendation
CNIL’s Recommendation constitutes a practical guide for professionals, providing information on compliance with the legal framework when using cookies or other trackers.
The Recommendation includes practical examples concerning, among others, how information could be provided to users before obtaining their consent or how to design the interface for obtaining user consent. On this point, the CNIL points out that the mechanism allowing a user to express a refusal to consent should be accessible on the same screen and with the same ease as the mechanism allowing the user to express consent. Thus, an “accept all” button should be at the same level and in the same format as a “refuse all” button (you can read about the implications of this position for ad tech actors under the supervision of the CNIL in the paper I have co-authored with Damien and Dimitrios).
In terms of the timeline for compliance with the framework on cookies and other trackers, the CNIL expects all actors concerned to ensure that their practices comply with the requirements of the GDPR and the ePrivacy Directive by the end of March 2021.
(Image source: Search Engine Journal)
