On 4 July 2019, the French data protection authority CNIL (Commission nationale de l’informatique et des libertés)[i] adopted new guidelines on the use of cookies and similar tracking devices.[ii] The prior opinion of the French authority is in line with the strict jurisprudence of the Court of Justice of the European Union, as confirmed by its judgment of 1 October 2019, which narrows the scope of this topic.[iii] (see our previous article in german here).

Cookies are text files that a website provider stores on the user’s computer (or device). The website provider can access these files again when the user visits the website on a further occasion. Cookies save information on internet activities and preferences (username, language, font size and other display settings), so that the user does not have to re-enter this information each time he or she visits the website. Cookies also allow the website provider and if necessary its partners to target advertisements.

In the guidelines, the CNIL recalls the law applicable to the operations of storing and accessing information of an internet user by using cookies. The guidelines are based in particular on the provisions of the Directive 2002/58/EC of 12 July 2002 in the version 2009/136/EG on privacy and electronic communications (ePrivacy), which is transposed into French law in Article 82 of the Data Protection Act (“Loi Informatique et Liberté”), and on the definition of consent in Article 4 Number 11 of the General Data Protection Regulation (GDPR), as interpreted in the guidelines of the European Data Protection Board (EDPB).

According to these texts, website or application publishers who use cookies must:

  • inform internet users of the purpose of cookies,
  • obtain their consent,
  • provide internet users with a way to refuse them at any time.

These provisions are not to be interpreted differently according to whether or not the information constitutes personal data. In the event of failure to comply with these provisions, the CNIL may impose sanctions pursuant to Article 3 of the Data Protection Act.

Scope of the guidelines

The guidelines apply to all operations aimed at accessing or storing information in the internet user’s “terminal equipment”. According to Directive 2008/63/EC, terminal equipment means equipment directly or indirectly connected to the interface of a public telecommunication network to send, process or receive information. The CNIL includes many devices in the definition, such as tablet, smartphone, fixed or mobile computer, connected television or vehicle, as well as voice assistant. The guidelines apply to the use of ” HTTP-cookies ” and to similar forms of tracking devices, such as “Flash cookies”, “local storage”, etc.

How to obtain the user’s consent

Cookies may not be used unless the user has previously expressed his or her consent in a free, specific, informed and unambiguous manner.

Freely given consent

The user must not suffer any major inconvenience following the exercise of his or her right to decline the use of cookies. Therefore, the use of “cookie walls”, i.e. the practice of blocking access to a website or application in the absence of consent does not comply with the requirements of the GDPR.

Specific consent

The consent of the user must be specific to the purpose of the use of cookies. The website provider can offer to give global consent to the use of cookies in addition to a specific consent.

Informed consent

The user must be provided with the following information:

  • the identity of the entity or entities using cookies;
  • the purpose of the operations of accessing or storing data;
  • the existence of the right to withdraw the given consent.

This information must be easy to understand as well as complete, visible and prominent at the time of obtaining consent.

Unambiguous consent

Consent of the user must be expressed through a clear declaration or positive action. It means that consent is not valid if it results from the user’s silence or passive behavior. For example, continuing to browse a website or to use a mobile application, or scrolling the page of a website or mobile application do not constitute valid consent. The CNIL does also not consider the use of pre-checked boxes, as well as the acceptance of general conditions of use or the privacy policy as valid consent.

Proof of consent and withdrawal

Article 7 of the GDPR requires that entities exploiting cookies be able to demonstrate, at all times, that they have validly obtained the required consent from users.

Moreover, persons who have given their consent to the use of cookies must be able to withdraw it at any time. Entities using cookies must develop convenient and friendly solutions so that users can withdraw their consent as easily as they have been able to give it.

Cookies that are strictly necessary for the provision of an online communication service can be used without the consent of the user. However, for the sake of transparency, entities must inform users of the existence and purpose of cookies by including, for example, a reference to it in their confidentiality policy.

The CNIL considers that browser settings cannot, in the state of technology, allow the user to validly express his or her consent to the use of cookies. Browser settings do not ensure a sufficient level of prior information to users and do not allow the user to give a specific consent regarding the cookies’ purpose. Moreover, browser settings do not allow a choice to be made about other technologies (such as fingerprinting).

The technologies concerned by the obligation to obtain consent do not systematically involve the processing of personal data. However, in many cases, the operations of storing and accessing information will concern personal data and therefore be subject to the GDPR.

At the beginning of 2020, the CNIL will issue a recommendation to inform operators on the practical details of the means of obtaining the internet user’s consent.

Margaux Mermin

[i] The main mission of the CNIL is to ensure compliance with regulations on personal data. It supports professionals in their compliance and helps individuals to control their personal data and exercise their rights (by investigating individuals’ complaints, for example).

[ii] CNIL Guidelines of 4 July 2019, Délibération n° 2019-093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d’un utilisateur (notamment aux cookies et autres traceurs) (rectificatif), (FR) https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038783337

[iii] Judgment of the Court of Justice of 1 October 2019, Planet49, C-673/17, (EN) http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3469928