The French DPA publishes (at last!) its guidelines and recommendation on cookies

15 October 2020
Corinne Thiérache and Alice Marie

On September 17th, 2020, the French Data Protection Authority (also known as the “CNIL”) adopted two documents on cookies, namely guidelines (Deliberation No. 2020-091 of September 17th, 2020 adopting guidelines relating to the application of Article 82 of the Law of January 6th, 1978 as amended to reading and writing operations in a user's terminal (in particular "cookies and other trackers") and repealing Deliberation No. 2019-093 of July 4th, 2019) and a recommendation (Deliberation No. 2020-092 of September 17th, 2020 adopting a recommendation proposing practical methods for compliance in the event that "cookies and other trackers" are used).

Through these new deliberations published on October 1st, the French data protection authority (DPA) confirms certain major principles:

o Concerning user consent:

- The mere continuation of navigation on a website can no longer be considered as a valid expression of consent,

- Individuals must consent to the deposit of trackers by a clear positive act (click on "I accept" in a cookie banner, for example). If they do not do so, no tracker that is not essential to the operation of the service may be deposited on their device.

o Users must be able to withdraw their consent easily and at any time,

o Refusing trackers should be as easy as accepting them,

o Concerning the information of data subjects:

- They must be clearly informed of the purposes of the trackers before consenting, as well as the consequences of accepting or refusing trackers,

- They must also be informed of the identity of all actors using trackers subject to consent.

o Entities using trackers must be able to provide, at any time, proof of valid collection of the freely given, informed, specific and unambiguous consent of the user.

Regarding "cookie walls", which consist of blocking access to a website if cookies are refused, the French DPA has prudently taken into account the decision of the “Conseil d’Etat” dated on June 19th, 2020. Thus, without directly recognising a lawfulness in principle of this practice, the French DPA considers that a case-by-case analysis will be necessary.

Nevertheless, certain trackers are exempt from the requirement of obtaining consent. This is notably the case for trackers intended for authentication with a service, those intended to store the contents of a shopping basket on an online shopping site, those intended to generate frequentation statistics, or those allowing paying websites to limit free access to a sample of content requested by users.

In addition, the French DPA makes several recommendations to the players concerned:

• Two buttons should be provided: "accept all" and "refuse all”,

• Websites, which usually retain consent to trackers for a certain period, should also retain the refusal of Internet users for a certain period. In this respect, the French DPA considers that it is good practice for website publishers to keep the choice (refusal or consent) for a period of 6 months,

• When the trackers allow tracking on other websites, consent must be obtained on each of the websites concerned by this navigation tracking.

The time allowed for the concerned actors to comply with the new rules must not exceed 6 months, i.e. by the end of March 2021 at the latest.

The French DPA will consider the operational difficulties of the economic players during this period and will give priority to support rather than control. However, it reserves the right to prosecute certain breaches, particularly in the event of a particularly serious breach of the right to privacy, and will continue to prosecute breaches of the rules on cookies prior to the entry into force of the GDPR (recommendation of December 5th, 2013).

As a reminder, this communication comes at a time when the e-Privacy Regulation, a specific regulation that has been postponed several times since 2016 and which will aim to apply the principles resulting from the GDPR to electronic communications, has still not been adopted by the European Commission.

The lawyers of Alerion's Data Privacy and Digital and technology law departments assist the economic players who will have to embark on a new project to comply with the GDPR regarding cookies and other trackers.

Corinne Thiérache, Partner and Alice Marie, Legal Counsel.

With the help of Morgane Sapin, Student Lawyer at the ECOA.