France and Apps/Websites: What do the latest CNIL recommendations say?

The Comission Nationale de l’informatique et des libertés, the French Data Protection Authority (‘CNIL’) published FAQs and a new guideline regarding cookies on October 1st, 2020. This guideline that was previously publicly consulted between January 14^th to February 25^th, 2020 has been developed in consultation with digital advertising stakeholders and civil societies. Stakeholders are requested to adhere to the recommendations that have been provided in this guideline by March 2021. As the guideline contains some key points that deviate from those provided by the other data protection authorities, this article aims to provide clarity by summarizing the main findings and providing some context on the matter of cookies in France.

The ePrivacy Directive and French Implementation in a Nutshell

The topic of cookies and similar technologies has not yet been regulated on a standardized level across the European Union.  However, the minimum standard has been determined by Art. 5 (3) of the ePrivacy Directive (Directive 2002/58/EC) which has been implemented by the majority of European Member States. In France, rules regarding cookies and similar technologies are regulated under Art. 82 French Data Protection Act which implements the provisions of the ePrivacy Directive.

In the guideline, the CNIL highlighted their supervisory powers regarding the processing of cookies and tracking technologies independently of whether or not personal data are processed. They are also competent for technologies which are not processing personal data in the light of the ePrivacy Directive. An example of technology not processing personal data mentioned by the CNIL is language preference cookies which only store a value indicating the preferred language.

What is the scope of the FAQs & guidelines?

The CNIL has supplemented existing guidelines with practical arrangements for public and private entities to assist ongoing efforts for achieving cookie compliance. The recommendation applies to any company using tracking technologies. Tracking technologies are determined as technologies processing directly identifiable information such as email address or indirectly identifiable information such as unique identifiers associated with a cookie, IP address, an identifier of the terminal or end device, fingerprinting technologies, or identifiers generated by a software or system.

The recommendation specifically mentions examples of web environments and mobile applications such as connected TV, video games, voice assistant, connected vehicles, and others with and without access to restricted areas.

The CNIL encourages standardized procedures and operations, including harmonization of vocabulary to improve the user-friendliness of cookie banners. An example of such a harmonized vocabulary is to name “EU-consent” with true and false identification technologies that are storing cookie consent preferences.

What are the legal bases of Cookies and similar technologies in France?

As a rule of thumb, there are very limited cookies and other technologies that do not require the user to provide consent under Art. 6 (1) a GDPR in conjunction with Art. 7 GDPR. Whenever legitimate interest serves as a legal basis (Art. 6 (1) f GDPR), this is the case where technologies are considered as “strictly necessary” to display the website content. Each website usually contains cookies that are strictly necessary and others that require consent. From our perspective as Data Protection Officers, almost all web and app technologies are using mechanisms that require consent as a business-standard.

What are the information requirements in line with the latest CNIL guideline?

The CNIL acknowledges that different layers of information are provided in different cookie banner settings.

Brief information containing details of the (joint) controller(s) with a prominent title and brief description is to be provided in the first layer of the cookie banner which would be the first thing that a user would see on your website. The CNIL provides some examples relating to Custom Audiences, Geo-localization Advertising and Content Customizations which all refer to certain common marketing advertising technologies. It is a pity that the CNIL does not provide an exhaustive list of how certain granular technologies can be grouped, for example, some Custom Audience functionalities automatically trigger that a user receives content targeted to his/her geo-localization.

The second layer of information on the banner has been suggested as a scroll button under specific banner sections or a hyperlink. It should specify further operations such as caping of advertisement which ensures that you do not receive the same advertising on a repetitive basis, categories of personal data and pursued purposes.

Whenever a controller is embedding strictly necessary technologies, the CNIL provides recommendations on the granularity of information details on the privacy policy and specifics regarding their lifetime. Those details include the purpose of the cookies, lifetime and period of keeping information which should be a maximum of 25 months wherein the operation of such technologies should be limited to 13 months. The controller is also requested to not automatically extend the duration of those technologies when a user re-visits the website but should periodically review the compliance regarding life-time duration and storage periods.

How to obtain valid consent as per the latest CNIL guideline

The CNIL recommends some procedures for controllers to review their cookie consent practises:

Consent to be unambiguous

The Commission recommends for checkboxes to be unchecked by default or sliders deactivated by default. In case the user is not providing any consent or any action, this is to be considered as opt-out and no technologies should be triggered which require previous consent.

Free Consent

The CNIL recommends providing the users with an option per purpose for providing consent. However, the option to accept or refuse all purposes by clicking on one button is tolerated. The naming of the buttons should be descriptive and intuitive to avoid any misunderstandings format e.g. “accept all”, “I accept all” or “refuse all”/“prohibit”/”I do not consent”. An option to manage preferences per purpose could be named “personalize my choices” or “decide by purpose”.

Modalities of Refusal

The website / app user should be informed in a clear and comprehensible manner on how the withdrawal or refusal of consent can be manifested e.g. not interacting with the consent banner. The CNIL evaluates browser settings to be insufficient as a choice of the consent as this is not considered as state of the art. Buttons should be provided at the same level and in the same format with the same degree of simplicity to make sure that the website/app user has a clear and simple way to express choices.

The buttons on the first layer of the cookie banner should be named in an intelligible form. All buttons should be provided in the same format, size, same level of readability and emphasis.

The design practises of data controllers should not be misleading or nudge any certain behaviours. The CNIL tries to achieve an end of the so-called behavioral nudging. Behavioral nudging aims to trigger a user to behave in a certain manner e.g. to click on the bigger green button. However, the use of one button to provide free consent for different purposes is tolerated.

The CNIL is recommending that the banner could also provide a button “continue without accepting” on the upper part of the banner.

The validity of preference selection and proof of consent

The controller is required to demonstrate at any time that the user has provided consent. In case third-party cookies are in use, it is the controllers’ responsibility to make sure that consent has been obtained and to provide corresponding proof. A contractual clause committing the parties to obtain valid consent on behalf of the other is not sufficient, and effective proof of consent is required e.g. review of the modalities (e.g. time stamp on a public platform, screenshots, audits of the CMPs).

The choice of the data subject is to be maintained in principle during navigation on site.  The freedom of choice requirement is infringed if each new window on the webpage would display a separate banner. The consent banner should also disappear after a short period. As users might forget that they have consented, the CNIL sets forth a renewal period of 6 months from a best-practise perspective (before 13 months). It is also possible to determine a deviating period considering the context, scope of initial consent and expectations of the users.

Withdrawal of Consent and Preference Selection:

The solution on how to withdraw consent is to be presented in advance and the option of update the preference should be available via a link always available or with a cookie icon located at the bottom left of the screen (which is currently in use by the ICO as UK data protection authority) to have an easy access method.

It should be ensured that previously used cookies and similar technologies may not be read and written after withdrawing consent.

What is next?

In the past, we have identified that the different data protection authorities are continuously aiming to enhance the complexity of cookie requirements. As the CNIL is considered one of the strictest authorities, we can already recommend businesses operating in France or providing their services to French consumers to adhere to the latest guidance on technologies and to take a critical look at their practises relating to cookies and similar technologies.