Cookies are text files that a website provider stores on the user’s computer (or device). The website provider can access these files again when the user visits the website on a further occasion. Cookies save information on internet activities and preferences (username, language, font size and other display settings), so that the user does not have to re-enter this information each time he or she visits the website. Cookies also allow the website provider and if necessary its partners to target advertisements.
In the guidelines, the CNIL recalls the law applicable to the operations of storing and accessing information of an internet user by using cookies. The guidelines are based in particular on the provisions of the Directive 2002/58/EC of 12 July 2002 in the version 2009/136/EG on privacy and electronic communications (ePrivacy), which is transposed into French law in Article 82 of the Data Protection Act (“Loi Informatique et Liberté”), and on the definition of consent in Article 4 Number 11 of the General Data Protection Regulation (GDPR), as interpreted in the guidelines of the European Data Protection Board (EDPB).
- inform internet users of the purpose of cookies,
- obtain their consent,
- provide internet users with a way to refuse them at any time.
These provisions are not to be interpreted differently according to whether or not the information constitutes personal data. In the event of failure to comply with these provisions, the CNIL may impose sanctions pursuant to Article 3 of the Data Protection Act.
Scope of the guidelines
The guidelines apply to all operations aimed at accessing or storing information in the internet user’s “terminal equipment”. According to Directive 2008/63/EC, terminal equipment means equipment directly or indirectly connected to the interface of a public telecommunication network to send, process or receive information. The CNIL includes many devices in the definition, such as tablet, smartphone, fixed or mobile computer, connected television or vehicle, as well as voice assistant. The guidelines apply to the use of ” HTTP-cookies ” and to similar forms of tracking devices, such as “Flash cookies”, “local storage”, etc.
How to obtain the user’s consent
Cookies may not be used unless the user has previously expressed his or her consent in a free, specific, informed and unambiguous manner.
Freely given consent
The user must be provided with the following information:
- the identity of the entity or entities using cookies;
- the purpose of the operations of accessing or storing data;
- the existence of the right to withdraw the given consent.
This information must be easy to understand as well as complete, visible and prominent at the time of obtaining consent.
Proof of consent and withdrawal
Article 7 of the GDPR requires that entities exploiting cookies be able to demonstrate, at all times, that they have validly obtained the required consent from users.
Cookies that are strictly necessary for the provision of an online communication service can be used without the consent of the user. However, for the sake of transparency, entities must inform users of the existence and purpose of cookies by including, for example, a reference to it in their confidentiality policy.
The technologies concerned by the obligation to obtain consent do not systematically involve the processing of personal data. However, in many cases, the operations of storing and accessing information will concern personal data and therefore be subject to the GDPR.
At the beginning of 2020, the CNIL will issue a recommendation to inform operators on the practical details of the means of obtaining the internet user’s consent.
[i] The main mission of the CNIL is to ensure compliance with regulations on personal data. It supports professionals in their compliance and helps individuals to control their personal data and exercise their rights (by investigating individuals’ complaints, for example).
[ii] CNIL Guidelines of 4 July 2019, Délibération n° 2019-093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d’un utilisateur (notamment aux cookies et autres traceurs) (rectificatif), (FR) https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038783337
[iii] Judgment of the Court of Justice of 1 October 2019, Planet49, C-673/17, (EN) http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3469928