France: The French Data Protection Authority releases a recommendation on cookies

As part of its action plan on targetedadvertisement, the French Data Protection Authority (Commission Nationale del’Informatique et des Libertés or “CNIL”) is proposing a consultation on adraft recommendation on practical procedures for collecting user consent forthe use of online trackers[1].

Following the guidelines recallingthe legal provisions that govern the use of cookies and other trackers adoptedon July 4, 2019[2], theCNIL conducted a consultation during the fall of 2019, in order to prepare adraft recommendation proposing operational procedures for obtaining consent.This draft is now subject to public consultation until February 25, 2020. Atthe end of this period, a final version of the recommendation will be presentedfor final adoption.

Adaptationto applicable law

The application of the General DataProtection Regulation[3](“GDPR”) has strengthened the requirements for the validity of consent. Themere continuation of navigation on a website can no longer be regarded as avalid expression of consent to the use of cookies, which must now be the resultof an unambiguous positive action on the part of the Internet user.Furthermore, the GDPR expressly provides that actors must be able to prove thatthey have indeed obtained valid consent from Internet users.

As the risk associated withobtaining consent is quite significant (the GDPR provides for the possibilityof imposing on non-compliant companies heavy fines of up to 4% of their annualturnover), the CNIL announced an action plan to align its recommendations withthe new rules on consent governing the use of cookies and other trackers foraudience measurement, user profiling and targeted advertisement.

The recommendation is not intendedto be prescriptive. Its main purpose is to provide practical examples for theimplementation of the regulations. Some of these examples are addressed below.

Consent collection
  • Informedconsent:

The purpose(s) of the trackers must be presented to the Internet userbefore he/she is given the opportunity to consent or not to consent to theiruse.

The Internet user must be able to find out the identity of all thoseresponsible for the processing operation(s) before being able to give consentor to refuse to give consent.

  • Freeconsent:

Consent can only be valid if theInternet user is able to exercise his/her choice freely, under the conditionsdescribed in the guidelines.

In practice, a request for consentcould take the form of boxes that the Internet user may choose to check toexpress his/her consent. He/she may also have the choice between two buttonspresented at the same level and in the same format, with for example the words“accept” and “refuse”.

In addition, in order to allow theInternet user not to make a choice, the person responsible for the processingoperation(s) may integrate a closing cross on the interface for collectingconsent, or allow the user to make it disappear by clicking outside theinterface.

  • Specificconsent:

The Internet user must be given theopportunity to give independent and specific consent for each separate purpose.

For example, the mere acceptance ofgeneral terms of use or general terms of sale does not constitute specificconsent.

It is possible to offer the Internetuser the ability to consent globally for a range of purposes under certainconditions.

  • Unambiguousconsent:

Consent must be expressed by a clearpositive action on the part of the Internet user.

Concretely, by its presentation, themechanism for obtaining consent must enable the data subject to be aware of thegoal and scope of the action enabling him/her to signify his/her agreement ordisagreement.

Exemption

The CNIL recalled that the consentrequirement does not apply to operations, the exclusive purpose of which is tocarry out the transmission of a communication over an electronic communicationsnetwork or which are strictly necessary for the provision of an onlinecommunication service explicitly requested by the Internet user.

It specified that “In the lightof the practices brought to the Commission’s attention, the following trackersmay, in particular, be regarded as exempted:

  • the trackers keeping the choice expressed by the Internet user on the use of trackers or the will of such user not to express a choice;
  • trackers intended for authentication to a service;
  • trackers designed to keep track of the content of a shopping cart on a merchant site;
  • user interface customization trackers (e.g. for the choice of the language or presentation of a service), where such customization is an intrinsic element of the service expected by the Internet user;
  • trackers allowing load balancing of equipment contributing to a communication service;
  • trackers allowing paying sites to limit free access to their content to a predefined quantity and/or over a limited period of time;
  • trackers enabling audience measurement, within the framework specified by Article 5 of the Guidelines on cookies and other trackers.”
Withdrawal and duration of consent

Internet users who have given theirconsent to the use of trackers must be able to withdraw it at any time. TheCNIL recalled that it must be as simple to withdraw consent as it is to giveconsent.

Since those who gave consent at agiven time may forget that they have done so, the CNIL recommends that consentbe renewed at appropriate intervals without waiting for the user to withdrawconsent. The length of time during which consent remains valid will depend onthe context, the scope of the initial consent and the expectations of theinternet user.

In general, the CNIL considers thata period of validity of six months from the expression of the Internet user’schoice is appropriate.

Proof of consent

The data controllers must be able todemonstrate that the Internet user has given his/her consent.

In practice, the CNIL recommends theimplementation of the following mechanism:

  • Therecording of the information allowing the consent to be properly taken intoaccount could be done at the level of the consent collection mechanism, i.e.the tracker in case of a web browser, or the parameter used to store theconsent information in case of a mobile app., etc.
  • Thedata thus recorded could include a timestamp of the consent, the context inwhich the consent was collected (identification of the website or mobile app.),the type of consent collection mechanism that has been used, and the purposesto which the user has consented.
Timetable

From the beginning of 2020, theCNIL’s actions will initially be limited to compliance with the principlespreviously set out in the 2013 recommendation. Corrective measures, including penalties,may be adopted in the event of non-compliance with the obligations, the scopeof which is specified since 2013 and which remain applicable in the newrecommendation.

Monitoring missions on theapplication of the new framework will then be carried out at the end of theadaptation period announced by the CNIL, i.e. six months after the finalpublication of the recommendation. These inspections will focus in particularon those actors who have a particularly significant impact on the daily livesof citizens and whose practices raise serious compliance issues.

Jurisdiction

The CNIL indicated that it iscompetent to control and, if necessary, sanction the implementation of the provisionsset forth in Article 82 of the French Data Protection Act for all services thatdeposit and access cookies or trackers on terminals located in France.