On the 1st of October the French CNIL was able to publish their extremely anticipated and much awaited amended guidelines and recommendations on the use of cookies and similar tracking technologies.
All organisations under the bandit of the CNIL are now requested to follow the six-month deadline to become compliant with their legal obligations. The guidelines discuss in depth some of the main concerns of the cookie compliance process. It elaborates on the core principles as well as commonly confused subject areas within this broad technological area. The framework presented by the GDPR is used as a base for these guidelines and recommendations.
These guidelines were published only a day after the Irish Data Protection Commissioner introduced their guidelines and recommendations for use within areas under their jurisdiction. Some key elements overlap in both of these guidelines. Here are some of the key takeaways from the work published by the French CNIL.
Core Principles For the CNIL
So, the guidelines and recommendations reaffirm already known principles as defined under the GDPR law. Here are some of the concepts that are revised to highlight their significance:
- No consent, no usage
- Consent must be active and positive
- Withdrawal of consent recognised
- Refusal and Acceptance of cookies is User’s choice
- Purpose of the cookies must not be concealed
- User should be in control
What are key areas covered by the guidelines published by CNIL?
CNIL has notably reiterated that:
- Continuation or navigation on a site can no longer be considered as a valid expression of consent from the user
- Users must consent to the deposit of trackers by a clear positive act
- Only essential trackers can be deposited on their device until no positive act takes place
- Withdrawal of their consent must be made easily possible and at any time
- Structurally and functionally the act of refusing cookies by the user should be made as easy as accepting them
- Individuals must be clearly informed of the purpose of the trackers before consenting, the consequences of accepting or refusing trackers, as well as the identity of all the actors using trackers subject to consent; and
- Organisations using trackers must be able to provide, at any time, proof of valid collection of the free, informed, specific and unambiguous consent of the user. This corresponds to the GDPR provision of accountability.
Differences and Omissions
One stark difference in between the new versions of the guidelines and recommendations and the older versions by the same data protection watchdog are that these do not mention the use of legitimate interests as a legal basis and remain therefore in line with the evolution of the reworked draft ePrivacy Regulation.
On 19 June 2020, the French Conseil d’Etat ruled that CNIL could not legally prohibit in its guidelines, as a general rule, the practice of ‘cookie walls’ (which, in a nutshell, consists of blocking access to a website where cookies are refused).
Practical recommendations and clarifications
The crux of the guidelines lies in the fact that the consent collection interface should include not only an ‘accept all’ button but also a ‘refuse all’ button.
The consent to the trackers should be logged for a certain period of time, similarly the refusal should be treated in the same way on the user interface. The user should not be troubled repeatedly to provide consent once they hesitate to initially provide this.
Sanctions and Legal Probations
CNIL has announced that the compliance with the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (‘the ePrivacy Directive’) and, the current Guidelines and Recommendations is legally binding.
The deadline to become compliant with these detailed revisions and clarifications is six months, i.e. by the end of March 2021. Meanwhile, the sanction breaches of rules on cookies existing prior to these guidelines will continue as per routine. The watchdog is looking forward to a healthy compliance attitude from all organisations whether big or small.
Seers cookie consent management solution
Let Seers help your organisation to become compliant with these additional guidelines published by CNIL by using our world leading cookie consent management solution.