On 4 July 2019, the CNIL published guidelines on the application of Article 82 of the French Data Protection Act. This article governs actions aiming at storing or gaining access to information already stored in the terminal of a user , i.e. in particular the use of cookies or other trackers when a user visits a website. These trackers can be used, for example, to measure the site's audience, to address advertisement, or to interact with social networks. When they are not strictly necessary for the operation of the site visited, these cookies may only be used with the consent of the user.

As announced in its press release of June 28, the CNIL conducted a consultation during the fall of 2019, in order to prepare a draft recommendation proposing operational procedures for obtaining consent.

This draft is now subject to public consultation until 25 February, with a view to preparing the final version of the recommendation.

Why has the CNIL decided to take an interest in cookies and other trackers?

The legal framework that has evolved

The General Data Protection Regulation (GDPR) has strengthened the requirements for the validity of consent. For example, the mere continuation of navigation on a website can no longer be regarded as a valid expression of consent to the use of cookies, which must now be the result of an unambiguous positive act on the part of the user. Furthermore, the GDPR expressly provides that actors must be able to prove that they have indeed obtained valid consent from Internet users.

A very strong data protection issue for individuals

Online advertising profiling can be massive and perceived as intrusive.

The CNIL has thus received numerous individual and collective complaints (La Quadrature du Net, Privacy International, NOYB) relating to online marketing. These complaints reflect a real awareness among all European citizens about the use of their data. The CNIL's has to deal with these complaints and, more generally, to ensure the proper application of the law by combining tools to support professionals (such as its guidelines and the draft recommendation) and the use, where appropriate, of its investigative powers.

A demand for legal certainty from the of professionals

Professionals of the online marketing sector are also seeking a better understanding of their obligations under the GDPR and the ePrivacy Directive (specific text governing, in particular, the deposit and reading of trackers).

In particular, they expressed a need for practical recommendations on how to reconcile the requirements of clarity and conciseness on the one hand and the need to provide full information on the other.

A systemic issue

Finally, the online advertising ecosystem is complex; the vast majority of websites and mobile applications are concerned by these compliance issues, whether they are published by public or private actors. For this reason, the CNIL wanted to undertake a two-step comprehensive action: adoption of guidelines in last July, followed by a recommendation provideingf operational recommendations.

How does this relate to the guidelines of 4 July 2019?

The guidelines of 4 July are intended to summarise the applicable law.

In order to support the professionals in the implementation of compliant solutions for collecting consent, the CNIL wanted to supplement these guidelines with practical recommendations that reflect the concrete application of the regulations.

What is the purpose of the draft recommendation?

The draft recommendation is addressed to private and public bodies as soon as they carry out the read and/or write operations on a user's terminal referred to in Article 82 of the French Data Protection Act.

The recommendation is not intended to be prescriptive. Its main purpose is to provide practical recommendations on how to operationally translate legal requirements into user interface layouts.

It also aims to provide concrete examples of implementation of the regulations. These examples are also not exhaustive. Their sole purpose is to support the professionals concerned in the implementation of compliant solutions for obtaining consent.

Thus, in addition to the examples given, other methods of collecting consent may be used by professionals, provided that they effectively enable consent to be obtained in accordance with the texts in force, as recalled in the guidelines on cookies and other trackers.

For those who wish to stand out by offering a more enhanced protection to their users, the CNIL also offers a number of good practices that go beyond strict compliance with the obligations imposed by the law

What is the development process?

The draft recommendation was drawn up by the CNIL following a consultation with, on the one hand, organizations representing professionals in the online advertising ecosystem and, on the other hand, organizations representing civil society. This consultation made it possible to gather their points of view, with a view to identifying ways of applying article 82 of the French Data Protection Act that are both respectful of privacy and pragmatic.

What is the timetable for the consultation?

The CNIL has decided to launch a public consultation on the draft recommendation. This consultation, available for 6 weeks, will end on February 25. At the end of this period, a final version of the recommendation will be presented to the members of the CNIL meeting in plenary session for final adoption.

As part of the consultation, the draft recommendation is supplemented by visuals. These are only examples to illustrate the recommendations of the CNIL in order to facilitate the reading of the project.