French CNIL Publishes Draft Guidance on Cookie Consent

On January 14, 2020, the French data protection authority, the CNIL, proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies (the “Recommendations”). The Recommendations follow the publication in July 2019 of updated guidance on cookies, including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO (the latter guidance was reported by Data Matters here). The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.

The CNIL explains that it has developed these Recommendations in light of the current cookies landscape and the fact that large numbers of organisations use cookies, and are therefore affected by, updated regulatory guidance on cookies. The issues identified by the CNIL include: (i) the introduction of new requirements by the GDPR which impact organisations’ uses of cookies, perhaps most significantly the move away from implied consent as a valid expression of consent, which is now required to be a positive, unambiguous act; (ii) an acknowledgement by the CNIL that cookies (in particular those used for online advertising and profiling) are considered by some individuals to be intrusive, pointing to numerous complaints it has received both from individuals and representative organisations in relation to online marketing; and (iii) providing a direct response to requests for practical recommendations, in particular how to reconcile the requirements of clarity and brevity with the need to provide complete information about cookies.

The key recommendations proposed by the CNIL cover the following topics:

  • when consent is required for cookies (and where it is not);
  • the application of cookie requirements to both website owners and third parties placing cookies;
  • suggestions on how to fulfil the transparency requirements, including approaches to listing details of third party cookies and suggested language to allow users to understand what cookies are being set;
  • suggestions for ensuring that valid consent has been obtained;
  • providing users with an accessible method to withdraw their consent; and
  • suggestions on how to provide proof an organization has in fact obtained consent.

The CNIL has indicated that it would welcome the development of standardized interfaces to allow users to understand the navigation of such consents from one site to another.

Whilst not intended to be prescriptive or exhaustive, the CNIL has aimed to provide concrete examples to assist organisations in the implementation of compliant consent-gathering solutions. This additional guidance, together with guidance provided from other regulators, such as the UK ICO and the Spanish AEPD, should provide some welcome clarification on a complex area of the law.

The Recommendations are open for public consultation until February 25, 2020 and can be accessed in full (in French) here.