Feb 132020

French CNIL Publishes Draft Guidance on Cookie Consent

William RM Long and Eleanor Dodding
, , , , ,

On January 14, 2020, the French data protection authority, the CNIL, proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies (the “Recommendations”). The Recommendations follow the publication in July 2019 of updated guidance on cookies, including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO (the latter guidance was reported by Data Matters here). The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.

The CNIL explains that it has developed these Recommendations in light of the current cookies landscape and the fact that large numbers of organisations use cookies, and are therefore affected by, updated regulatory guidance on cookies. The issues identified by the CNIL include: (i) the introduction of new requirements by the GDPR which impact organisations’ uses of cookies, perhaps most significantly the move away from implied consent as a valid expression of consent, which is now required to be a positive, unambiguous act; (ii) an acknowledgement by the CNIL that cookies (in particular those used for online advertising and profiling) are considered by some individuals to be intrusive, pointing to numerous complaints it has received both from individuals and representative organisations in relation to online marketing; and (iii) providing a direct response to requests for practical recommendations, in particular how to reconcile the requirements of clarity and brevity with the need to provide complete information about cookies.

The key recommendations proposed by the CNIL cover the following topics:

  • when consent is required for cookies (and where it is not);
  • the application of cookie requirements to both website owners and third parties placing cookies;
  • suggestions on how to fulfil the transparency requirements, including approaches to listing details of third party cookies and suggested language to allow users to understand what cookies are being set;
  • suggestions for ensuring that valid consent has been obtained;
  • providing users with an accessible method to withdraw their consent; and
  • suggestions on how to provide proof an organization has in fact obtained consent.

The CNIL has indicated that it would welcome the development of standardized interfaces to allow users to understand the navigation of such consents from one site to another.

Whilst not intended to be prescriptive or exhaustive, the CNIL has aimed to provide concrete examples to assist organisations in the implementation of compliant consent-gathering solutions. This additional guidance, together with guidance provided from other regulators, such as the UK ICO and the Spanish AEPD, should provide some welcome clarification on a complex area of the law.

The Recommendations are open for public consultation until February 25, 2020 and can be accessed in full (in French) here.

William RM Long

London

wlong@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.