Implied Consent Is No Longer a Legal Basis For Using Cookies
What does the French Supervisory Authority’s (CNIL) Guidance say?
The CNIL has issued the new rules as part of its 2019–2020 action plan to clarify compliance obligations under the General Data Protection Regulation (GDPR) in the realm of targeted online advertising. These rules update the CNIL’s 2013 recommendations on cookies and other tracking devices, which had permitted implied consent as a legal basis for using cookies. However, under these updated rules, the act of scrolling or swiping through a website with a cookie banner would no longer count as valid consent. Furthermore, the CNIL explicitly states that websites using any non-“strictly necessary” cookies must be able to prove they have acquired consent as defined in the GDPR cookie guidelines and CNIL online cookie rules to do so.
Why is this different?
This marks a significant departure from common practice in this regard, with many websites still heavily relying on opt-out consent in the form of passive cookie banners, which preclude the possibility of demonstrating or proving that consent has been acquired before the cookies are put into use. While the CNIL has stated that it will give stakeholders a transitional period of 12 months to comply with this new guidance, it does not preclude the CNIL “adopting corrective measures to protect the privacy of users.”
Is this a significant departure from views taken by other EU privacy regulators?
The CNIL’s new guidance appears to be in keeping with the views recently put forth by other European data protection authorities (DPAs) with regards to non-essential cookies and tracking devices, particularly with the views of the European Data Protection Board (EDPB), which explicitly excluded scrolling down, swiping or browsing through a website or application as a valid expression of consent under the GDPR cookie consent guidelines.
The UK’s Information Commissioner’s Office (ICO) also updated their cookie guidance earlier this month and published a blog post clarifying myths and misinformation around cookies. The most important clarifications involved the invalidity of implied consent, and clarification that analytics cookies are not “strictly necessary” and so require GDPR standard consent. They explicitly state that:
- “users must take a clear and positive action to consent to non-essential cookies;
- websites and apps must tell users clearly what cookies will be set and what they do – including any third-party cookies;
- pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on,’ cannot be used for non-essential cookies;
- users must have control over any non-essential cookies; and
- non-essential cookies must not be set on landing pages before you gain the user’s consent.”
The ICO also confirmed the stance taken by the Dutch DPA in its guidance from March that cookie walls or other such blanket approaches would likely not be considered to represent valid consent.
In light of these developments, many organizations will need to ensure they are revisiting and updating their cookie practices in accordance with these evolving standards to avoid falling short of EU cookie law expectations.
ACHIEVED COMPLIANCE – HELPING YOU NAVIGATE THE COMPLEX WORLD OF DATA COMPLIANCE.
Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.
For more information as to how we can help your organization get GDPR compliant please contact firstname.lastname@example.org.