1. CONTEXT

Following the adoption of the first version of its guidelines on cookies and other trackers on 4 July 2019 (see our alert here), which have been partially annulled by a decision from the French highest administrative Court, the Conseil d’Etat, dated 19 June 2020[1], the French supervisory authority (“CNIL”) has adopted a revised version of its guidelines[2] (the “Revised Guidelines”) and the final version of its recommendations on the practical procedures for collecting consent concerning cookies and other trackers[3] (the “Recommendations”).

While the Revised Guidelines provide the CNIL’s guidance on how to read the relevant provisions of the French Data Protection Act, which governs the use of cookies and other trackers in France, the Recommendations provide practical guidance and examples to help professionals navigate the rules applicable to cookies and other trackers and comply with the requirements of Article 82 of the French Data Protection Act. These two documents constitute “soft law” and are not binding, but provide strong references for organizations to anticipate how the CNIL may conduct its compliance investigations.

The adoption of the Revised Guidelines and Recommendations is part of the CNIL’s 2019-2020 plan for the online advertising sector, which goal is to provide clearer guidance to the advertising sector while enabling users to have greater control over the use of cookies and trackers. We note that, while the CNIL confirms its previous positions on a certain number of points (see our previous alert here), notably on the status applicable to the different stakeholders (controller, joint controllers or processor), it also brings additional precisions regarding certain points already covered in its previous guidelines and draft recommendations.

 

2. WHAT ARE THE KEY TAKEWAYS?

Taking into account the European Data Protection Board (“EDPB”) revised guidelines 05/2020 on consent under the GDPR[4] (the “Consent Guidelines”), the “Planet49 GmbH” case law from the European Court of Justice [5](the “Planet49 decision”) and the aforementioned decision from the Conseil d’Etat, the Revised Guidelines further specify the CNIL’s position on consent, cookies wall, evidencing user choices and mandatory information. The Revised Guidelines also provides greater clarity as regards cookies and trackers that are exempt from prior user consent.

      a. Emphasis on the conditions of valid consent

The Revised Guidelines recall the already well known principle that implied consent (e.g., through the use of a website or mobile application, pre-ticked boxes or “bundled” consent to terms of use) does not meet the GDPR standard of consent. Indeed, under Articles 4.11 and 7 of the GDPR, consent can only result from “a statement of clear affirmative action” from the individual.

According to the CNIL, the absence of action from the user (i.e., no choice from the user) and the mere continuation of a website or use of a mobile application can no longer be construed as a valid consent.

The Revised Guidelines include developments on how to collect a valid consent as well as refusal and consent withdrawal. The CNIL highlights the fact that means to refuse cookies and trackers must be “as easy” as means available to accept use thereof. As a result, users must not be subjected to complex procedures for refusing cookies and trackers and withdraw their consent, which they must be able to do at any time. To that end, the CNIL provides practical examples and good practices in the Recommendations, from the use of a “reject all” button to the availability of a visible “cookies” icon enabling users to parameter their choices and withdraw their consent. In addition, the Revised Guidelines specifically provide that users choices, be it consent or refusal, must be (i) clearly presented to users, notably as regards the available means to exercise such choice, (ii) collected and clearly evidenced (the Recommendations give examples of how to ensure such evidence through the use of a consent management platform, screen capture, etc.) and (iii) recorded by data controllers, for an appropriate duration during which they would not ask the users again for their consent. Such duration may vary depending on the nature of the site or application concerned. According to the Recommendations, a good practice in that respect is 6 months – at the expiry of that term, controllers could ask users again to consent (or refuse) to the use of cookies and trackers.

      b. Cookies Walls : no longer a clear prohibition but validity is still challengeable

The abovementioned decision from the Conseil d’Etat has annulled the CNIL’s position on cookies walls – which were prohibited per se in the July 2019 guidelines – on the ground that such prohibition may not stem from guidelines adopted by the CNIL, which is “soft law” by nature and cannot go beyond the letter of the GDPR.

Consequently, the CNIL has amended its position on cookies walls, which lawfulness must be assessed on a case-by-case basis, depending on whether a free consent can be given. However, having regards to the EDPB restrictive position on the topic – in substance that consent is not “freely given” if access to services and functionalities is made conditional on the user’s acceptance of the use of cookies and tracker – there can be no doubt that cookies walls will be deemed unlawful by the CNIL in the event of a control.

The Revised Guidelines also provide additional restrictions which will result, in practice, as major hindrance to the use of cookies walls : as a general principle, users must be provided with mandatory information notably on the identity of the controller(s) of the processing (the list of such controllers must be easily accessible and up to date), purposes, the way to refuse or accept cookies, the consequences of accepting or refusing the use of cookies and other trackers and the right to withdraw their consent. In addition, the CNIL specifies that the collection of a single consent for several processing purposes (i.e., “purpose bundling”), without the possibility of consenting or refusing per purpose, is likely to affect users freedom of choice and, therefore, the validity of their consent.

      c.  A more detailed list of cookies and trackers exempt from consent

While cookies and trackers used for advertising purposes and social networks features remain subject to consent, the Revised Guidelines provide additional examples of categories of cookies and trackers that are exempt from consent, under Article 82 of the French Data Protection Act. This exemption applies to cookies and trackers which sole purpose is to carry out or facilitate the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the user.

The CNIL has considered that the following categories of tracers benefit from the above exemption:

• cookies and trackers recording the choice expressed by users on the use of cookies and trackers ;
• cookies and trackers intended for authentication to a service ;
• cookies and trackers intended to store the contents of a shopping basket on a merchant site or to invoice the user for the product(s) and/or service(s) purchased;
• cookies and trackers enabling the customization of the user’s interface, where such customisation is an expected element of the service;
• cookies and trackers for load balancing contributing to a communication service;
• cookies and trackers enabling paying sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period of time);
• certain audience measurement cookies and tracers, subject to strict conditions (i.e., scope must be limited to a single website or mobile application, the cookie or tracker must be used notably for an analysis of the performances, detect browsing anomalies, improvement of the site ergonomics, analysis of the content consulted etc. without any tracking of individual browsing through different applications or websites, use must be strictly limited to the production of anonymous statistics; any personal data collected using such cookies and tracers may not be used for other purposes or combined with other processing operations or transmitted to third parties).

      d. Cookies configuration from web browsers or operating system is not sufficient

Though Article 82 of the French Data Protection Act provides that consent may result from the configuration of a connection device (e.g., web browser software or operating system), the CNIL confirms, taking into account the state of the art, that a valid consent may not be obtained from the specific configuration of a web browser or operating system, since such connection devices do neither provide a sufficient level of prior information nor sufficient choice granularity as regards cookies and trackers purposes.

 

3. WHEN SHOULD ORGANIZATIONS GET READY?

The CNIL has announced a transition period until end of March 2021, during which it will not enforce the new obligations regarding cookies and other trackers resulting from the Revised Guidelines (i.e., additional data subject information, no implicit consent, obligation to retain evidence of consent and refusal) and Recommendations.

However, breaches of pre-existing obligations applicable to cookies and other trackers (e.g., data subject information, prior consent collection) can be sanctioned during such transition period.

 

For further information, please contact Denise Lebeau-Marianna (Partner, Paris), Alexandre Balducci (Associate, Paris) or your usual DLA Piper contact.

 

[1] Conseil d’Etat, 19 June 2020, No. 434684, ASSOCIATION DES AGENCES-CONSEILS EN COMMUNICATION et autres (available in French only, here)

[2] CNIL, deliberation 2020-091 of 17 September 2020 repealing the CNIL deliberation 2019-093 of 4 July 2019(available in French only here)

[3] CNIL, deliberation 2020-092 of 17 September 2020 (available in French only here)

[4] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, adopted on 4 May 2020 (available here)

[5] ECJ, 1 October 2019, Planet49 GmbH (C-673/17) availble here