French CNIL: Draft Guidance on Cookie Consent
On January 14, 2020, the CNIL which is the French data protection authority compiled its draft recommendations on the use of Cookie Consent. This concerns all websites that collect cookies and similar technologies from its users. The recommendations look at simple and practical ways to improve the collection of consent and help in organisations understanding why it’s important. Achieving the consent of the individuals is key in data protection. Failure to do so entails exploitation of the basic human right of maintaining privacy among other things.
This draft is an update to the publication issued in 2019 on the basic requirements of collecting data and keeping a GDPR-quality consent. The requirements come from the policy of European data protection bodies, such as the CNIL and the ICO in the UK. The CNIL has approached to make things easier to comprehend in the local region through translation and policymaking. This aims to improve the safeguarding of human rights and securing individuals both online and offline.
CNIL has highlighted some issues of concern for organisations in France in particular and EU in general, such as:
(i) Organisations must understand all and new requirements of the GDPR relating to cookie management such as:
- Moving away from implied consent
- Making the use of cookies unambiguous
- Allowing ease of the users to reject the use of cookies on them
- Make an expression of consent simpler
(ii) Understanding that the use of cookies, including but not limited to those that help in profiling and advertising to individuals may be intrusive. The invasion of privacy should be curbed. The risks should be mitigated. The complaints, as a result, should be aimed to minimize through improved cookie policy.
(iii) Organisations must ensure that there are systems in place to allow direct response to requests of individuals. Whether they require information or their data, organisations must be able to help them out as swiftly as possible.
(iv) It can be a great preemptive way to meet the GDPR guidelines and reduce the potential complaints by ensuring that the Cookie COnsent Policy is as clear, detailed and helpful as possible.
The crux of the CNIL recommendations indicate:
- Clarity as to the consent required for cookies (and where it is not);
- the application of cookie requirements for website owners and other third parties involved in using cookies;
- listing details of third-party cookies, and allowing users to choose whether they wish to be a subject of those or not
- Allowing translation and access to the nature of the cookies
- Aiming to show valid consent, not ambiguous
- Making consent withdrawal easier
- Keeping records of the consent collected in the past
The CNIL has urged organisations to look into systems that can help in making this process simple to execute, automate things where possible and allow interfaces to become more standardized and up to the par for GDPR compliance. The CNIL also requires organisations to prioritize the implementation of compliant consent-gathering solutions. This stems from the subject’s right to be protected.
Perhaps the efforts of CNIL in combination with the awareness programs of UK ICO and the Spanish AEPD, help in creating the required awareness and understanding on the complicated terms of the GDPR, improving data behaviour everywhere across the globe.