Feb 132020

French CNIL Publishes Draft Guidance on Cookie Consent

William RM Long and Eleanor Dodding
, , , , ,

On January 14, 2020, the French data protection authority, the CNIL, proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies (the “Recommendations”). The Recommendations follow the publication in July 2019 of updated guidance on cookies, including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO (the latter guidance was reported by Data Matters here). The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.

The CNIL explains that it has developed these Recommendations in light of the current cookies landscape and the fact that large numbers of organisations use cookies, and are therefore affected by, updated regulatory guidance on cookies. The issues identified by the CNIL include: (i) the introduction of new requirements by the GDPR which impact organisations’ uses of cookies, perhaps most significantly the move away from implied consent as a valid expression of consent, which is now required to be a positive, unambiguous act; (ii) an acknowledgement by the CNIL that cookies (in particular those used for online advertising and profiling) are considered by some individuals to be intrusive, pointing to numerous complaints it has received both from individuals and representative organisations in relation to online marketing; and (iii) providing a direct response to requests for practical recommendations, in particular how to reconcile the requirements of clarity and brevity with the need to provide complete information about cookies.

The key recommendations proposed by the CNIL cover the following topics:

  • when consent is required for cookies (and where it is not);
  • the application of cookie requirements to both website owners and third parties placing cookies;
  • suggestions on how to fulfil the transparency requirements, including approaches to listing details of third party cookies and suggested language to allow users to understand what cookies are being set;
  • suggestions for ensuring that valid consent has been obtained;
  • providing users with an accessible method to withdraw their consent; and
  • suggestions on how to provide proof an organization has in fact obtained consent.

The CNIL has indicated that it would welcome the development of standardized interfaces to allow users to understand the navigation of such consents from one site to another.

Whilst not intended to be prescriptive or exhaustive, the CNIL has aimed to provide concrete examples to assist organisations in the implementation of compliant consent-gathering solutions. This additional guidance, together with guidance provided from other regulators, such as the UK ICO and the Spanish AEPD, should provide some welcome clarification on a complex area of the law.

The Recommendations are open for public consultation until February 25, 2020 and can be accessed in full (in French) here.

William RM Long

London

wlong@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.