In October 2020, the Commission Nationale de l’Informatique et des Libertés (CNIL), the French body that regulates the protection of personal data in that country, published two documents, one designated “guidelines” and the other called “recommendations,” establishing rules and good practices, concerning the use of cookies on the internet.
GUIDELINES
In the guidelines document, the French authority begins by describing Art. 82 of the Informatics and Freedoms Law, which translates as follows:
Art. 82 – “Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been previously informed, by the controller or his representative, regarding:
1 ° The purpose of any action designed to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to insert information in this equipment;
2 ° The means at your disposal to oppose.
These accesses or registrations can only be made with the condition that the subscriber or user has expressed, after receiving this information, their consent, which may result from the appropriate parameters of their connection device or any other placed under their control.
These provisions do not apply if access to information stored on the user’s terminal equipment or the recording of information on the user’s terminal equipment:
1 ° has the sole objective of allowing or facilitating communication by electronic means;
2 ° is strictly necessary for the provision of an online communication service at the express request of the user. ”
Thus, the CNIL recognizes the need for consent through positive action (opt-in) and that silence should be considered a refusal. Likewise, the use of pre-marked boxes or buttons is expressly prohibited. It also clarifies that the European Data Protection Act (GDPR) established the conditions for obtaining consent and the need to demonstrate that it was collected. As a result, this knowledge must be obtained in a free, specific, clear, and unambiguous way, through which the user has expressed their will for this purpose. Accordingly, the user must be guaranteed freedom of choice, without which there is no way to validate such conditions.
Therefore, companies need to be careful if they condition the provision of a service or access to a website to the acceptance of writing or reading operations on the user’s terminal (a practice referred to as a “cookie wall”), as such practice may violate, in some instances, freedom of consent.
Article 1 of Directive 2008/63 / EC, of 20 June 2008, defines terminal equipment as “any equipment that is directly or indirectly connected to the interface of a public telecommunications network to transmit, process or receive information; in either case, direct or indirect, the connection can be made by wire, optical fiber or electromagnetic channel. The connection will be indirect if a device is interposed between the terminal equipment and the public network interface”. As such, this definition covers many commonly used devices, such as a tablet, a computer, a smartphone, a fixed or mobile computer, a video game console, a connected television, a connected vehicle, a voice assistant, and so on.
It is important to clarify that the possibility of a simple configuration of computers, cell phones, tablets, and internet browsers is insufficient to characterize consent. On the other hand, consent to cookies does not apply to operations whose sole purpose is to allow or facilitate communication by electronic means or strictly necessary to provide an online communication service upon the express request of the user. To facilitate the understanding of the scope of these exemptions, CNIL listed the cases below:
1. Cookies preserving the choice expressed by users in the cookie repository;
2. Cookies intended for authentication with a service, including those designed to ensure the security of the authentication mechanism, for example, by limiting attempts to access by using robots;
3. Cookies designed to keep the contents of a shopping cart on a commercial website in memory or to bill the user for the products and/or services purchased;
4. The user interface personalization cookies (for example, for choosing the language or presenting a service), when such personalization constitutes an intrinsic and expected element of the service;
5. Cookies that allow load balancing of equipment that contributes to a communication service;
6. Cookies that allow paid websites to limit free access to a sample of content requested by users (predefined quantity and/or for a limited period); and
7. Certain audience measurement cookies (statistical).
In fact, regarding audience measurement cookies (statistics), CNIL reinforces that these cookies must have a purpose strictly limited to a single measurement of the audience on the site or in the application exclusively by the operator or controller. These trackers should not, in particular, allow general tracking of a person’s navigation using different applications or browsing different websites. Likewise, these cookies should only be used to generate anonymous statistical data. The personal data collected cannot be combined with other processing operations or even be transmitted to third parties.
The consent information must be written in simple and understandable terms by everyone (without legal terms that are difficult to understand). It must allow users to properly inform themselves of the different purposes of the cookies used. On the other hand, attention also needs to be paid to the consent collected simultaneously to allow for various processing of personal data for different purposes, without the possibility of accepting or refusing the purpose; in which case the user’s freedom of choice may also be violated.
Also, the user is required to receive the following basic information:
1. The identity of the data controller (s) for reading or writing operations;
2. The purpose of data read or write operations;
3. How to accept or reject cookies;
4. The consequences of refusing or accepting cookies; and
5. the existence of the right to withdraw consent easily, at any time.
CNIL also clarifies that an editor of a website or manager of an application that uses cookies must be held responsible for the treatment of personal data, even when subcontracting the management of these cookies used by third parties. Although many cookies may not systematically involve the processing of personal data, in many cases, reading or writing operations will involve personal data, the treatment of which must be protected. Therefore, there is joint and several liability between the controller and any operator contracted to operate the website or outsource the cookies’ adoption. In this case, there must be a transparent definition of the respective obligations, preferably in a contract between the parties, to ensure compliance with the requirements of the GDPR (European Data Protection Law), in particular concerning the collection and demonstration, where applicable, of valid consent.
RECOMMENDATIONS
The recommendations were developed after consultation with representatives of professionals related to digital advertising, as well as with representatives of civil society.
We will address the additional points raised in this document beyond those explored in the “Guidelines” above.
To facilitate reading, CNIL recommends that each purpose is identified by a short and highlighted title, accompanied by a brief description. Some examples of how to comply with the applicable rules are detailed below:
1. If the cookie(s) are used to display personalized advertising, this purpose can be described as follows: “Personalized advertising: [name of website/application] [and third-party companies/our partners] use cookies to display personalized advertising based on your browsing and your profile.”
2. If cookies are used only to measure the audience of the displayed advertisement, without selecting it based on personal data, the data controller can use the following wording: “Non-personalized advertisement: [name of website/application] [and outsourced companies / our partners] uses cookies to measure the audience for advertising [on the website or application], without outlining their profile.”
3. If advertising is adapted according to the precise geolocation, this purpose can be described as follows: “Geo-localized advertising: [site/application name] [and third-party companies / our partners] uses cookies to send advertising based on your location.”
4. If cookies are used to personalize editorial content or the products and services provided displayed by the operator, the following words may be displayed: “Personalization of content: Our website/application [and third-party companies] use cookies to personalize the editorial content [of our website/app] based on your use,” or “Our website/app [and third-party companies] uses cookies to personalize the display of our products and services based on those you have previously viewed [ on our website/app]”).
5. If cookies are used to share data on social networks, its purpose can be described as follows: “Sharing on social networks: Our website/app uses cookies to allow you to share content on social networks or platforms present [on our website/application].” If the operator has chosen to put in place a mechanism that allows these cookies to be triggered only when users really want to share data with the social networks in question (and when they interact with the feature or the button allowing such interaction), the information and consent collection may appear when users decide to trigger that sharing feature.
The CNIL also recommends including, in addition to the list of purposes presented on the first screen, a more detailed description of these purposes, easily accessible from the consent collection interface, through a link or a drop-down button, for example.
Users must be able to verify the identity of all controllers (s), including the joint controllers, before giving their consent or refusing. If such data is pervasive, it can be provided in a second level of information, as per the paragraph above. CNIL also recommends using a descriptive name and unambiguous terms, such as “List of companies that use trackers on our website/application,” permanently, which can be accessed at any time.
The user’s positive consent can be expressed by ticking boxes, clicking buttons, or sliding switches.
To guarantee the free character of the consent given, CNIL recommends that users consent to be requested in an independent and specific way for each distinct purpose. However, CNIL considers that this determination does not exclude the possibility of offering users global consent for a set of purposes, subject to the presentation, in advance, of all purposes to users.
In this regard, CNIL clarifies that it is possible to offer general acceptance and rejection buttons at the first level of information, such as, for example, by presenting buttons entitled “accept everything” and “refuse everything,” “authorize,” and “I do not authorize,” “I accept everything” and “I do not accept anything” and allowing consent or refusal, in a single action, for different purposes.
In order to allow people to choose between purposes, it is possible to include a button at the same level of information as the links or buttons that will enable them to accept everything and refuse everything, allowing access to the choice by purpose. For example, a “customize my choices” or “decide by purpose” button would clearly indicate this possibility. Users can also be offered the chance to accept or reject purposes directly at the first level of information. They may also be asked to click on each purpose so that a drop-down menu offers the “accept” or “refuse” buttons.
Also, to the extent that consent can be forgotten by the people who expressed it at a given time, CNIL recommends that data controllers renew their request at appropriate intervals. In this case, the validity of the consent chosen by the controller must consider the context, the purpose of the initial consent, and the users’ expectations.
As for the withdrawal of consent, CNIL exemplifies the hypothesis through a connection accessible to anyone in the service in question. It is recommended to use a descriptive and intuitive name, such as “cookie management module” or “manage my cookies” or “cookies,” etc. The operator of a website can also provide users with a configuration module accessible on all pages of the website through a “cookie” icon, located for example in the lower left corner of the screen, allowing them to access the management mechanism withdrawing your consent.
Those responsible for the treatment(s) must be able to demonstrate, at any time, that users have given their consent. To do this, mechanisms to demonstrate that users’ consent has been obtained validly must be implemented. The CNIL considers that such an obligation cannot be fulfilled by the mere presence of a contractual clause that commits one of the parties to obtain valid consent on behalf of another party, insofar as such clause does not guarantee, in all circumstances, the existence of valid consent. In effect, the CNIL determines the following possibilities of proof of the validity of consent:
1. The different versions of the computer code used by the agency that collects the consent can be placed in custody with a third party, or, more simply, a condensate (or “hash”) of this code can be published in a date-stamped form. / hour on a public platform, to be able to prove its authenticity later;
2. A screenshot of the visual rendering displayed on a mobile or fixed terminal can be maintained, with a timestamp, for each version of the website or application;
3. Regular audits of the consent collection mechanisms implemented by the websites or applications in which consents are collected can be implemented by third parties designated for this purpose; and
4. Information related to the tools implemented and their successive configurations (such as solutions for obtaining consents, also known as CMP – “Consent Management Platform”) can be stored, in a dated manner, by third parties by editing these solutions.
CNIL also clarifies that it does not require users to be informed of reading and writing operations that are not subject to prior consent. For example, a website’s use of a language preference cookie that stores only a value indicating the user’s preferred language is likely to be covered by the exemption. It does not constitute the processing of personal data subject to GDPR. However, to guarantee the full transparency of these operations, CNIL recommends that users are also informed of the existence of these cookies and their purposes, including, for example, a note about them in the privacy policy. As for the cookies that measure the audience (statistics), CNIL recommended that:
1. Users are informed about the implementation of these cookies, for example, through the privacy policy of the website or the mobile application.
2. The life of cookies is limited to a period that allows a relevant comparison of audiences over time, as is the case for thirteen months, which is not automatically extended to new visits.
3. The information collected through these cookies is kept for a maximum period of twenty-five months; and
4. the shelf life and storage periods mentioned above are subject to periodic review.
Finally, CNIL also recommends that the names of the cookies used are explicit and, as far as possible, uniform, regardless of the agent responsible for their transmission