By Denise Lebeau-Marianna and Tiphaine Caulier

The French Data Protection Supervisory Authority (CNIL) has finally decided to replace its recommendations of 2013 which were no more compliant with the GDPR, by new guidelines. This decision is notably motivated by the fact that:

– the ePrivacy Regulation is still under discussion at the EU Parliament and not expected to be adopted shortly;

– online targeted advertising is one of the CNIL’s priorities for 2019. The adoption of the new guidelines is part of the action plan that the CNIL has implemented for 2019-2020 to provide clearer guidance to the marketing community.

  1. New guidelines on the consent required to implement cookies
  • What is the scope of the new guidelines?

The CNIL’s new guidelines, adopted through a deliberation n°2019-093 of July 4th, 2019, are based on Article 82 of the Data Protection Act (“Loi Informatique et Libertés”) implementing Article 5 (3) of EU directive “ePrivacy”, into French law.

The new guidelines apply to all types of operations aiming to gain access through electronic transmission to information stored on the subscriber or user terminal or to store information in such terminal.

They are thus applicable to a large range of devices (smartphones, computers, connected vehicles and any other object connected to a telecommunications network open to the public) and include without limitation the usage of a variety of technologies such as cookies, local shared objects (cookies Flash), local storage implemented by HTML 5, identification by footprint calculation, identifiers generated by operating systems and all sorts of trackers.

The guidelines clarify the fact that Article 82 of the Data Protection Act apply regardless of the fact that the data involved are personal data or not.

  • What are the major changes?

(i) Clarification on the trackers exempted from a consent requirement in particular regarding analytics trackers

The guidelines make clear that the collection of consent is not required when:

  • the trackers are used exclusively by an editor or its service provider to measure the audience of the website. The exemption applies subject to very specific conditions;
  • the sole purpose of the deposit is to allow or facilitate the electronic communication;
  • the use of cookies is strictly necessary for the provision of an online communication service at the user’s request.

(ii) From soft opt-in to active consent

The CNIL reminds that consent to cookies deposit must be compliant with the definition and conditions set forth in Articles 4(11) and 7 of the GDPR. Therefore, to be valid, consent must be:

  • Unambigous

To align with the guidelines on consent issued by the Article 29 Working Party, the CNIL repeals its previous position based on deliberation n°2013-378 from December 5 2013, according to which scrolling down, browsing or swiping through a website or app was considered as an acceptable expression of consent to cookies and allowed for cookies to be placed. Therefore, for the CNIL, continuing to navigate on a website is no more acceptable to evidence a consent to cookies.

Now only active consent to cookies will evidence a consent for cookies to be placed. The CNIL reminds that the use of pre-ticked boxes, overall acceptance of general terms and conditions cannot be considered as a positive act to express consent.

In addition, the CNIL reminds the rules applicable to consent which must also be:

  • freely given: the data subject must be able to exercise freely his/her choice. The CNIL thus reminds that the use of “cookie walls” is not compliant with the GDPR;
  • specific: consent must be tailored to each purpose. Therefore acceptance of the general terms and conditions as a whole does not constitute valid consent;
  • informed: information to data subjects must be easily understandable by any of them. Information must be given in plain language. The use of complex technical or legal terms does not meet the requirement of prior information. Such information must at least include (i) the identity of the data controller(s) implementing the trackers (ii) the purpose of the reading or writing operations on data (iii) the right to withdraw consent;
  • evidenced: all organizations that use cookies must implement appropriate mechanisms that allow them to demonstrate, at all times, that they have validly obtained consent from users;
  • revocable: organizations are encouraged to put in place user-friendly solutions to allow users to withdraw their consent as easily as they gave it.
  • What are the roles and responsibilities to determine?

The guidelines provide that, depending on the conditions of implementation of the trackers, the qualification of the stakeholders involved must be determined as they may be either separate controllers, joint controllers or in a controller – processor relationship. Depending on the qualification, other requirements of GDPR may be applicable (Article 26 in the context of a joint controllership or Article 28 in a controller-processor relationship).

  • What is the applicable data retention term?

As far as data retention is concerned, cookies validity period remains 13 months. In addition, in these guidelines, the CNIL states that information collected via the trackers, for the purpose of audience measurement, can be retained for 25 months.

  • When should these guidelines be effectively implemented?

 The CNIL grants twelve months to allow the organizations to become compliant with these new guidelines. During this transition period, the CNIL will accept as a valid consent the continuation of browsing. The other requirements (such as the prohibition to install cookies before such acceptance is given, the possibility to withdraw the consent, etc.)  will still be subject to the CNIL’s control and sanction. 

  1. New recommendations to come based on a public consultation of the relevant stakeholders

The above-mentioned guidelines is only the first step of the CNIL’s action plan.

To help the marketing community to have a better understanding of what is expected to make targeted advertising compliant with applicable data protection law requirements (GDPR and French Data Protection Act), the CNIL has initiated working sessions to be held during the second semester of 2019, with the representative stakeholders of the marketing ecosystem (websites editors, advertisers, service providers etc.).

The objective is to come up with practical means on how to implement the new guideliens and collect a lawful consent.

This guidance will take the form of recommendations issued by the CNIL which will be subject to public consultation (expected in December 2019/early 2020) .

To leave time to professionals to comply with these recommendations, the CNIL will grant a transitional period of 6 months from the final adoption of the recommendations after the consultation process.

These guidances from the CNIL are welcomed, provided that the outcome remain consistent with all the EU supervisory authorities and EDPB positions, to bring more legal certainty to the marketing community and allow it to adopt an harmonized approach at least within the EU.

We invite you to consult regularly our privacy blog to follow the webinar that the DLA Piper privacy group will organize to tackle these issues from a multi-jurisdictional perspective.

For more information, please contact Denise Lebeau-Marianna or Tiphaine Caulier