cookie guidance 1

Revised CNIL cookie guidance – moving towards harmonisation?

Cookies and other tracking technologies have received a lot of attention in the last few months by regulators charged with enforcing data protection and ePrivacy laws. The Irish data protection authority, the Data Protection Commission (DPC), already issued an enforcement alert to organisations; stating that they would begin enforcing new cookie rules by 5 October 2020. This month, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), followed suit, stating that they would begin enforcement of their newly released cookie guidance at the end of March 2021. This piece examines the revised CNIL guidance, with particular attention to any links with the DPC guidance and guidance from the UK’s Information Commissioner’s Office (ICO). Specifically, it identifies areas of similarity that may indicate emerging areas of alignment and harmonisation across Europe.

 

Consent

According to the revised CNIL guidance issued this month, as well as ICO and DPC guidance, it is clear that simply visiting a site and navigating around it cannot be considered as a valid provision of consent to the use of cookies. Instead, a positive, opt-in consent must be obtained to use all but necessary cookies and other trackers on a website. Users must be provided with an “I accept” button, and inaction with respect to cookies must be interpreted as a refusal to have cookies or other trackers active on their device.

  • ✔ ICO
  • ✔ DPC

 

According to the CNIL, withdrawing or refusing consent for trackers and cookies should be “as easy as accepting them”. For example, you cannot have an “Accept all” button with a “Manage Settings” button; instead, an “Accept all” button must be accompanied by a “Reject all” button. Rejecting cookies should not require more “clicks” than accepting them. This aligns with ICO guidance. In contrast, the DPC is allowing more flexibility, and they have given examples (e.g., in their Cookie Sweep Report p.18) of CMP tools that use a “Manage Settings” approach.

  • ❌ ICO
  • ✔ DPC

 

Like the DPC and ICO Guidance, it is clear that the CNIL considers that consent cannot be “nudged” through design features such as colour, prominence or ease of interaction.

  • ✔ ICO
  • ✔ DPC

Additionally, the CNIL notes that it is best practice to set an expiration period of six months on cookies that are based on consent. This aligns with DPC guidance; however, the ICO has not recommended a specific retention period.

  • ✔ ICO
  • ❌ DPC

 

Transparency

Site users must be clearly informed of the purpose of trackers, the consequences of accepting or rejecting trackers, and the identity of data controllers and other actors using the trackers. This is well aligned with ICO and DPC guidance.

  • ✔ ICO
  • ✔ DPC

 

Strictly Necessary

Trackers, or cookies that are necessary for functionalities such as authentication, remembering shopping cart contents, or those allowing sites to keep some content behind subscription walls do not require consent. This is also well aligned with ICO and DPC guidance.

  • ✔ ICO
  • ✔ DPC

 

Analytics Cookies

According to CNIL’s guidance, some analytics cookies may be exempt from consent requirements. According to some studies and opinions, these analytics cookies may be limited to those whose only purpose is measuring audience characteristic on behalf of the site operator, collect anonymised information, store that information for a limited period of time and do not combine that information with other sources or share it with third parties. The DPC has not been equally explicit about first-party analytics cookies, although they have noted that such a configuration is unlikely to be an enforcement priority. In contrast, the ICO has explicitly stated that analytics cookies require consent.

  • ❌ ICO
  • ❌ DPC

Fairness & Accountability

Records of consent for cookies should be accompanied by storage of information on cookie rejection, to avoid individuals having to constantly reject cookies every time they visit the site.

  • ✔ ICO
  • ✔ DPC

Trackers and cookies that allow monitoring on external websites, other than the one being visited, should be subject to consent on each of the external sites that are tracking a user’s activity. Neither the ICO nor the DPC explicitly treat this issue in their guidance.

  • ❌ ICO
  • ❌ DPC

 

Finally, although previous versions of the CNILs guidelines banned so-called “cookie walls”, the revised guidance states that individuals must be clearly informed of the consequences of rejecting cookies in these cases, and the lawfulness of the cookie wall must be assessed on a case-by-case basis. The DPC’s position on cookie walls is somewhat nuanced and they have not treated this issue as explicitly, but they state that users should not experience detriment if they reject cookies. In contrast, the ICO seems to accept cookie walls in some circumstances.

  • ✔ ICO
  • ❌ DPC

 

Based on this analysis, it seems that rules and guidelines are becoming more harmonised in some areas. Organisations can rely on the position – shared by several authorities – that inaction on the part of a site visitor should always be interpreted as rejection of cookies. Furthermore, design choices must be carefully scrutinised to make sure that no “nudging” via colour choice, prominence, etc. is being used to influence the visitor’s selection. Visitors must always be told about the purpose of cookies and the identity of the data controller. However, cookies necessary for core functionalities can still be used without consent.

These areas of convergence provide clear guidance for organisations operating virtually across borders.

Areas where harmonisation has not yet progressed include: a position around the ease of rejecting cookies; specific recommendations on cookie retention periods; the use of analytics cookies owned by site operators; the use of cookie walls and the rules for monitoring those who consent to cookies across websites. While these appear to create potential areas of complication; consensus may yet settle around some of them, since different regulators are working to different timelines.

Trilateral’s Data Governance and Cyber-Risk Team offers data governance services that can help your organisation develop policies and procedures for ongoing compliance with the latest governance standards. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.

 

cookie compliance ipad 1

Enter your email and subscribe to our mailing list to download our Cookie Compliance Guide

Subscribed contacts will be eligible to receive premium content, updates on upcoming webinars, and offerings for the data protection community

Rachel Finn

Rachel Finn is Senior Practice Manager at Trilateral Research.

Alan Mac Kenna

Alan Mac Kenna is Data Protection Technology Advisor at Trilateral Research.

Sign up for our newsletter

Join our mailing lists to receive updates about our latest research and to hear about our free public events and exhibitions.  If you would like to find out more about how we manage your personal information please see our privacy policy.

    UK
    +44 (0)2070528285
    info@trilateralresearch.com
    One Knightsbridge Green, London SW1X 7QA, UK

    IRELAND
    +353 (0)51 833 958
    info@trilateralresearch.com
    2nd Floor Marine Point, Belview Port, Waterford, X91 W0XW, Ireland