France’s data protection authority is giving publishers until the spring of 2020 to design and deploy GDPR-compliant cookie consent notices.

Until then, scroll consent – aka, soft or tacit consent – will be acceptable.

At a meeting in late April, representatives from the Commission nationale de l'informatique et des libertés told French industry trade organizations about the reprieve and shared additional details about the CNIL’s agenda for the coming year.

The assembled trade orgs – which included IAB France, the French arm of the Mobile Marketing Association, publisher-focused group Geste and SNCD, France’s answer to the Direct Marketing Association – had requested the meeting in an urgent mid-March letter to newly appointed CNIL president, Marie-Laure Denis.

Several public formal notices issued over the past year by the CNIL have called out specific companies in the digital advertising sector for improperly collecting user consent. As a result, there’s been some clarification on how to comply consent wise, but there’s still confusion about exactly what’s required.

The CNIL’s first order of business is to update its 2013 consent recommendations, which are obsolete now that GDPR is on the scene.

Under the recs, as long as users are shown a banner that explains why cookies are being collected and then given an easy way to opt out, sites can drop cookies even if the only form of affirmative action on the part of visitors is to scroll on the page.

The commission is planning to release updated rules in June to bring its recommendations more in line with GDPR principles. Between June and November, the CNIL will work with industry groups to make sure the guidelines are practical. Finalized consent guidelines will be published in January 2020.

Companies will then have six months to get themselves sorted before the new guidelines will be enforced. In the meantime, the 2013 consent recs, which allow implied consent, will continue to apply.

The CNIL’s willingness to work with industry representatives appears to acknowledge the lack of clarity in the law as it stands.

Consent under GDPR needs to be affirmative, informed, specific, freely given and unambiguous. Preticked consent boxes or passively scrolling past a cookie notice doesn’t count as consent.

The CNIL’s existing 2013 guidelines, however, allow for passive consent as long as visitors are given clear information about the site’s cookie policy, usually in banner form, along with the opportunity to opt out of tracking. Most websites continue to operate in this way.

These now outdated guidelines were created with the ePrivacy Directive in mind, which ushered in all of those pop-up banners you see every time you hit a European website alerting you that simply by visiting the site you accept the use of cookies.

The ePrivacy Directive was meant to have been updated and replaced with an ePrivacy Regulation back when the GDPR was first coming into force in May of last year. That still hasn’t happened yet, which is partly why many data protection authorities, unlike the CNIL, have yet to take steps to update their country’s own outmoded cookie policies.

In a recent interview with French publication Journal Du Net, the CNIL’s secretary general, Jean Lessi, noted that, because the ePrivacy Regulation will likely not be finalized in 2019, there is “urgency” to update the commission’s stance on the use of cookies to bring it in line with GDPR.

The CNIL and IAB France did not respond in time for publication.