French CNIL Publishes Draft Guidance on Cookie Consent
On January 14, 2020, the French data protection authority, the CNIL, proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies (the “Recommendations”). The Recommendations follow the publication in July 2019 of updated guidance on cookies, including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO (the latter guidance was reported by Data Matters here). The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.
The key recommendations proposed by the CNIL cover the following topics:
- when consent is required for cookies (and where it is not);
- the application of cookie requirements to both website owners and third parties placing cookies;
- suggestions on how to fulfil the transparency requirements, including approaches to listing details of third party cookies and suggested language to allow users to understand what cookies are being set;
- suggestions for ensuring that valid consent has been obtained;
- providing users with an accessible method to withdraw their consent; and
- suggestions on how to provide proof an organization has in fact obtained consent.
The CNIL has indicated that it would welcome the development of standardized interfaces to allow users to understand the navigation of such consents from one site to another.
Whilst not intended to be prescriptive or exhaustive, the CNIL has aimed to provide concrete examples to assist organisations in the implementation of compliant consent-gathering solutions. This additional guidance, together with guidance provided from other regulators, such as the UK ICO and the Spanish AEPD, should provide some welcome clarification on a complex area of the law.
The Recommendations are open for public consultation until February 25, 2020 and can be accessed in full (in French) here.