Following the adoption of the first version of its guidelines on cookies and other trackers on 4 July 2019 (see our alert here), which have been partially annulled by a decision from the French highest administrative Court, the Conseil d’Etat, dated 19 June 2020, the French supervisory authority (“CNIL”) has adopted a revised version of its guidelines (the “Revised Guidelines”) and the final version of its recommendations on the practical procedures for collecting consent concerning cookies and other trackers (the “Recommendations”).
- WHAT ARE THE KEY TAKEWAYS?
Taking into account the European Data Protection Board (“EDPB”) revised guidelines 05/2020 on consent under the GDPR (the “Consent Guidelines”), the “Planet49 GmbH” case law from the European Court of Justice (the “Planet49 decision”) and the aforementioned decision from the Conseil d’Etat, the Revised Guidelines further specify the CNIL’s position on consent, cookies wall, evidencing user choices and mandatory information. The Revised Guidelines also provides greater clarity as regards cookies and trackers that are exempt from prior user consent.
a. Emphasis on the conditions of valid consent
According to the CNIL, the absence of action from the user (i.e., no choice from the user) and the mere continuation of a website or use of a mobile application can no longer be construed as a valid consent.
b. Cookies Walls : no longer a clear prohibition but validity is still challengeable
The abovementioned decision from the Conseil d’Etat has annulled the CNIL’s position on cookies walls – which were prohibited per se in the July 2019 guidelines – on the ground that such prohibition may not stem from guidelines adopted by the CNIL, which is “soft law” by nature and cannot go beyond the letter of the GDPR.
c. A more detailed list of cookies and trackers exempt from consent
While cookies and trackers used for advertising purposes and social networks features remain subject to consent, the Revised Guidelines provide additional examples of categories of cookies and trackers that are exempt from consent, under Article 82 of the French Data Protection Act. This exemption applies to cookies and trackers which sole purpose is to carry out or facilitate the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the user.
The CNIL has considered that the following categories of tracers benefit from the above exemption:
- cookies and trackers intended for authentication to a service ;
- cookies and trackers intended to store the contents of a shopping basket on a merchant site or to invoice the user for the product(s) and/or service(s) purchased;
- cookies and trackers enabling the customization of the user’s interface, where such customisation is an expected element of the service;
- cookies and trackers for load balancing contributing to a communication service;
- cookies and trackers enabling paying sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period of time);
- certain audience measurement cookies and tracers, subject to strict conditions (i.e., scope must be limited to a single website or mobile application, the cookie or tracker must be used notably for an analysis of the performances, detect browsing anomalies, improvement of the site ergonomics, analysis of the content consulted etc. without any tracking of individual browsing through different applications or websites, use must be strictly limited to the production of anonymous statistics; any personal data collected using such cookies and tracers may not be used for other purposes or combined with other processing operations or transmitted to third parties).
d. Cookies configuration from web browsers or operating system is not sufficient
Though Article 82 of the French Data Protection Act provides that consent may result from the configuration of a connection device (e.g., web browser software or operating system), the CNIL confirms, taking into account the state of the art, that a valid consent may not be obtained from the specific configuration of a web browser or operating system, since such connection devices do neither provide a sufficient level of prior information nor sufficient choice granularity as regards cookies and trackers purposes.
- WHEN SHOULD ORGANIZATIONS GET READY?
The CNIL has announced a transition period until end of March 2021, during which it will not enforce the new obligations regarding cookies and other trackers resulting from the Revised Guidelines (i.e., additional data subject information, no implicit consent, obligation to retain evidence of consent and refusal) and Recommendations.
However, breaches of pre-existing obligations applicable to cookies and other trackers (e.g., data subject information, prior consent collection) can be sanctioned during such transition period.
For further information, please contact Denise Lebeau-Marianna (Partner, Paris), Alexandre Balducci (Associate, Paris) or your usual DLA Piper contact.