The French Supervisory Authority has just issued guidance that is a significant departure from common practice with respect to obtaining consent to use cookies.

What does the French Supervisory Authority’s (CNIL) Guidance say?

The CNIL has issued the new rules as part of its 2019–2020 action plan to clarify compliance obligations under the General Data Protection Regulation (GDPR) in the realm of targeted online advertising. These rules update the CNIL’s 2013 recommendations on cookies and other tracking devices, which had permitted implied consent as a legal basis for using cookies. However, under these updated rules, the act of scrolling or swiping through a website with a cookie banner would no longer count as valid consent. Furthermore, the CNIL explicitly states that websites using any non-“strictly necessary” cookies must be able to prove they have acquired consent as defined in the GDPR cookie guidelines and CNIL online cookie rules to do so.

Why is this different?

This marks a significant departure from common practice in this regard, with many websites still heavily relying on opt-out consent in the form of passive cookie banners, which preclude the possibility of demonstrating or proving that consent has been acquired before the cookies are put into use. While the CNIL has stated that it will give stakeholders a transitional period of 12 months to comply with this new guidance, it does not preclude the CNIL “adopting corrective measures to protect the privacy of users.”

Is this a significant departure from views taken by other EU privacy regulators?

The CNIL’s new guidance appears to be in keeping with the views recently put forth by other European data protection authorities (DPAs) with regards to non-essential cookies and tracking devices, particularly with the views of the European Data Protection Board (EDPB), which explicitly excluded scrolling down, swiping or browsing through a website or application as a valid expression of consent under the GDPR cookie consent guidelines.

German regulators seem similarly focused on this issue, with the Bavarian DPA having audited forty large organizations across various industries from online retail to banking and insurance in February of this year. The DPA’s summary report revealed that none of the forty websites investigated were compliant and each of them had inappropriately integrated cookies and other tracking tools into their websites. In describing the three main areas of noncompliance, they identified 1) the lack of active cookie consent, with the majority of sites making use of cookies before obtaining consent; 2) the lack of informed cookie consent, with no individual identification of each cookie/tracker or the purposes for which they would be used; and 3) third party processing without consent, where websites automatically sent data to third party cookie providers upon a user’s landing on the website.

The UK’s Information Commissioner’s Office (ICO) also updated their cookie guidance earlier this month and published a blog post clarifying myths and misinformation around cookies. The most important clarifications involved the invalidity of implied consent, and clarification that analytics cookies are not “strictly necessary” and so require GDPR standard consent. They explicitly state that:

  • “users must take a clear and positive action to consent to non-essential cookies;
  • websites and apps must tell users clearly what cookies will be set and what they do – including any third-party cookies;
  • pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on,’ cannot be used for non-essential cookies;
  • users must have control over any non-essential cookies; and
  • non-essential cookies must not be set on landing pages before you gain the user’s consent.”

The ICO also confirmed the stance taken by the Dutch DPA in its guidance from March that cookie walls or other such blanket approaches would likely not be considered to represent valid consent.

The requirement for individualized records of consent for each cookie has long been one of the controversial elements of the proposed e-Privacy regulation. While the legislation is unlikely to come into force in the short term, it is clear that European data protection regulators are moving to set that standard in advance while also increasing their scrutiny of organization’s use of cookies and tracking devices.

In light of these developments, many organizations will need to ensure they are revisiting and updating their cookie practices in accordance with these evolving standards to avoid falling short of EU cookie law expectations.

ACHIEVED COMPLIANCE – HELPING YOU NAVIGATE THE COMPLEX WORLD OF DATA COMPLIANCE.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization get GDPR compliant please contact info@achievedcompliance.com.