On October 1, 2020, the French data protection authority, the CNIL published its amended guidelines and other trackers and final recommendations on cookies and cookie consent. The updated guidelines closely align with the GDPR standards. The CNIL gave the organizations and websites six months to prepare for it. The new guidelines came into enforcement on April 1, 2021.
The guidelines and recommendations center around cookie consent and the conditions and practical implementation of it.
The new CNIL guidelines and recommendations share best practices for obtaining valid consent for using cookies. The CNIL stresses that consent must be freely given, informed, specific, unambiguous, revocable and demonstratable.
It does not prohibit the use of cookie walls but suggests analyzing the lawfulness of it. The CNIL also has guidelines for using analytics cookies.
What is CNIL?
The Commission nationale de l’informatique et des libertés (CNIL) is the French regulatory body for data protection and privacy in France. It supervises and enforces data privacy legislation like GDPR in the country. It also issues rules and regulations for compliance.
CNIL is known to be stern on those who commit data privacy violations and have levied harsh fines on big companies. The more recent is its whopping €135 million fine for Google and Amazon in December 2020 for cookie violations
In September 2020, the CNIL announced its guidelines on cookies which it adopted on October 1, 2020 and also published the final recommendations on cookies.
The amended CNIL guidelines
Here are the major highlights of the new CNIL guidelines for cookies:
The free nature of consent
According to the GDPR, consent must be “freely given.” That is, the users must have a free and genuine choice to make a decision, devoid of any conditions that will compel them to give consent. Cookie walls prevent that. It restricts access to websites unless the users accept cookies. Here the users do not have a choice to deny or withdraw consent.
CNIL does not ban cookie walls entirely. It allows the use of cookie walls if its lawfulness is assessed on a case-by-case basis. When you inform the users, you must ensure that you have shared adequate information about what happens when the users accept or deny consent and that the cookie wall restricts access to websites without user consent.
For consent to be freely given, it should not be bundled either. Websites cannot ask for single consent for different cookies that serve different purposes. Such a practice devoid the users from making a free choice, and therefore, the consent collected is invalid.
Websites must inform the users about the type of cookies and the purpose of each of them while asking for cookie consent. It should also include the identity of data controllers, data processors and third parties who generate and use the cookies. The information must be in simple language without any technical or legal jargon that is too complex to understand. The website must provide the following information before obtaining consent so that the users can make an informed decision:
- The identity of the website cookie owner/organization/administrator and third parties.
- The purpose of using the cookies.
- How to accept or reject the cookies.
- The consequences of accepting or rejecting cookies.
- The users’ right to withdraw consent.
Unambiguous nature of consent
Consent must only be valid or registered via an explicit or positive action, such as click an accept button. Websites cannot “imply” user consent from non-affirmative actions, such as scrolling or browsing the web page or continuing using the website. Neither can websites use pre-ticked checkboxes as it does not constitute a positive action, and the consent obtained in such a manner is invalid.
The websites must use clear and user-friendly methods to collect cookie consent.
Proof of consent
The websites that collect valid cookie consent are also responsible for providing proof of the consent at any time.
The right to reject and withdraw consent
The users also have the right to withdraw their cookie consent at any time, and it must be as easy as it was to give it.
Cookie consent exemptions
Some cookies are exempted from requiring consent from the users. Cookies that are strictly necessary for the website’s functioning and required for providing services requested by the users do not need user consent. Read more about it here.
The CNIL discusses the use case of cookies used for “audience measurement.” The CNIL recognizes that cookies used for website traffic or performance analysis are essential for a website’s proper functioning. It allows the use of analytics cookies as long as they are limited to generating anonymous (or aggregate) statistical data that will not be combined with other data or used for user identification.
Read the full text of the CNIL guidelines (available in French) here.
The final CNIL recommendations
The CNIL provides directions for following the guidelines, such as examples and design recommendations. Following are the highlights from the CNIL recommendations:
- The cookie consent banner must provide information about the purpose of cookies or cookie category before presenting the option for cookie consent.
- The purpose of the cookie must be presented with a short and highlighted title of the purpose, followed by a brief description.
- The purpose description must be easily accessible.
- The opt-in option for cookies must not be pre-enabled, e.g. pre-ticked checkbox or pre-activated toggle switch, such that if the users do not take any action or miss these options, it will lead the website to load the cookies.
- There should be options to accept and refuse all cookies in just one click, e.g. “Accept All” and “Reject All” buttons presented at the same level, with equal prominence to their presentation.
- Allow granularity in giving consent for different types of cookies. It can be achieved via a “settings/customize/preference” button or link.
- Consent choices, whether accepted or rejected, must be stored for at least six months so that the websites do not ask for consent every time the same user visits the site.
- If cookies allow the website to track across other websites, the consent should be obtained at each of those sites. It will make the users understand the scope of their cookie consent.
- The lifespan of cookies exempted from consent must be kept for a maximum of 13 months, and the data collected through these cookies must be stored for at most 25 months.
Read the full text (available in French) here.
Checklist to comply with CNIL guidelines
Here is a 10-point checklist that will ensure that your website is compliant with the new CNIL guidelines for cookies:
▢ Install a cookie consent notice or banner on your website for collecting user consent.
▢ Avoid the use of cookie walls as much as possible.
▢ The consent banner must have a “accept all” and “reject all” button or any mechanism for accepting and refusing cookie consent in one click, that is clear, visible and easy to use.
▢ The banner can have a settings/preference button that can give the users a consent option for each type of cookie.
▢ Do not pre-load any cookies (except strictly necessary) until and unless the users click the accept button.
▢ If the users click the reject button, the website must not load the cookies.
▢ If you use analytics cookies, pre-load it before consent only if they collect anonymous statistical data.
▢ There must be a setting or link to callback the banner or revoke the consent.
▢ Keep a log of the user consent you receive.
The CNIL recommends that the websites must also follow the ePrivacy Directive and GDPR.
CookieYes cookie consent solution for CNIL compliance
CookieYes is a cookie consent solution for websites that need to comply with GDPR, ePrivacy Directive, CCPA and CNIL. It provides all-around solutions for complying with these data privacy laws and standards.
Using the application, you can add a cookie consent notice or banner to your website in just three simple steps. Not only that, you can manage cookie consent on your site and control it. Its features make sure that your website follows the requirements stated in the CNIL guidelines and recommendations.
CookieYes’ application provides a host of features, such as:
- Compatible with all major CMS and also supports websites built with custom codes.
- Full customization of the cookie consent banner, i.e. content and colourcolor of the banner, buttons, links.
- Provides various consent types of which the explicit type provides “Accept All” and “Reject All” buttons.
- Further enhancement and customization of the banner possible with CSS customizations.
- Auto-scans websites for cookies to identify them and auto-blocks third-party cookies until the user gives consent and also lets you add cookies to block as well.
- Allows selective enabling and disabling of cookie categories under “Preferences” (customizable label).
- Preloads cookies before obtaining user consent that you have enabled. So, if you only enable necessary cookies (default state of the banner), other cookies will not be preloaded.
- Owing to CNIL, it allows preloading of Analytics cookies (that generates anonymous data) before user consent
- Option to callback the consent banner to let users withdraw (or change) consent.
- Records user consent for cookies and generates a report that you can use as proof of consent.
- Auto-translation of the banner into 26 languages.
- Geo-targeted display of the consent banner based on the law you need to compliant with.
CookieYes gives you everything you require for your website to comply with the new CNIL guidelines and final recommendations. April 1 is already over, and the CNIL has begun enforcing them. To avoid fines, you must adhere to them. So, get started with CookieYes and make your website CNIL compliant (along with GDPR and ePrivacy Directive).