Back to the adoption of the CNIL guidelines, reminding the law applicable to the reading or writing operations in a user's terminal, and in particular the use of cookies and other trackers.

The National Commission for Information Technology and Civil Liberties (CNIL) is responsible for ensuring compliance with the provisions of the French Data Protection Act (LIL) of January 6, 1978, as well as other texts such as the European General Data Protection Regulation (RGPD) or the ePrivacy Directive 2002/58/EC, transposed into French law by Article 82 of the LIL.

On July 19, 2019, the French Official Journal published its deliberation no. 2019-093 of July 4, 2019 concerning the adoption of guidelines that recall the law applicable to read or write operations on a user's terminal, and in particular the use of cookies and other tracers (the "local shared objects", local storage" implemented within HTML 5, identifications by calculation of the terminal's footprint, identifiers such as IDFA, IDFV, Android ID, IP address, and hardware identifiers such as MAC address, serial number or any other device identifier).

Article 82 of the law states that any user of an electronic communications service must be informed in a clear and complete manner by the controller:

  • The purpose of any action tending to access, by electronic transmission, information already stored in the terminal equipment (tablet, smartphone, fixed or mobile computer, video game console, connected television, connected vehicle, voice assistant, etc.), or to enter information into this equipment
  • The means at his disposal to oppose it

It is important to note that for the CNIL, the aforementioned Article 82 applies regardless of whether the data concerned is personal or not.

Such access or registration can only take place if the subscriber or user has expressed his or her consent after having received this information. We will analyze in detail below the position of the CNIL on this issue.

Methods of collecting consent

The CNIL indicates that the tracers requiring the collection of consent cannot be used in writing or reading as long as the user has not previously expressed his will to this end, in a free, specific, informed and univocal way by a declaration or a clear positive act.

The free nature of consent

Consent can only be valid if the data subject is able to validly exercise his or her choice and does not suffer major inconvenience in the event of the absence or withdrawal of consent. Thus, the CNIL recalls the May 2018 position of the European Data Protection Committee (EDPS) which states the practice of blocking access to a website or mobile application for who does not consent to be tracked is not compliant with the GDPR. This is an important position that will have major consequences, since even a refusal to deposit cookies and other trackers will not be able to prevent further browsing.

The data subject must be able to give consent independently and specifically for each separate purpose. Offering the individual the opportunity to consent in aggregate is acceptable, provided that it is in addition to, and not in place of, the opportunity to consent specifically for each purpose.

Informed consent

The information must be written in simple and understandable terms for all, and it must allow users to be fully informed of the different purposes of the tracking used. It must be complete, visible, and highlighted at the time of consent. A simple reference to the general conditions of use is not sufficient.
The information that must be brought to the attention of users, prior to the collection of consent, in application of article 82, is at least the identity of the data controller(s), the purpose of the data reading or writing operations and the existence of the right to withdraw consent.

In order for consent to be informed, the user must be able to identify all the entities that use tracking devices before being able to consent. Thus, the exhaustive and regularly updated list of these entities must be made available to the user directly at the time of consent.

The univocal nature of consent

The CNIL emphasizes that consent must be manifested through a positive action of the person previously informed of the consequences of his choice and having the means to exercise it. Thus, and this is a new and important position of the CNIL, the fact of continuing to browse a website, to use a mobile application or to scroll the page of a website or a mobile application do not constitute clear positive actions that can be assimilated to a valid consent. The vast majority of French websites will therefore have to modify their cookie management solution by not allowing browsing without action on the accept or refuse buttons.
In the same way, the use of pre-checked boxes, as well as the global acceptance of general terms of use, cannot be considered as a clear positive act of consent.

Proof of consent

Organizations operating tracking systems must implement mechanisms enabling them to demonstrate, at any time, that they have validly collected users' consent. In the event that these organizations do not themselves collect consent from individuals, the CNIL points out that such an obligation cannot be fulfilled by the mere presence of a contractual clause committing one of the organizations to collect valid consent on behalf of the other party.

It must be as easy to refuse or withdraw consent as it is to give it. This means, among other things, that individuals who have given consent to the use of tracking devices must be able to withdraw it at any time.

 

With this new deliberation, the CNIL repeals its deliberation n° 2013-378 of December 5, 2013 and thus modifies its doctrine on cookies and other tracers.

After consultation with professionals and civil society over the next few months, followed by a public consultation, a final recommendation will be published in March 2020. A period of adaptation, lasting six months from the publication of the future recommendation, will be left to the players to give them time to integrate the new rules. Ideally, but without any guarantee, this doctrinal turnaround will coincide with the final version of the ePrivacy regulation, currently being drafted by the European Council under the Finnish Presidency. Indeed, too much regulation and a political will to create European digital champions might not go well together.

 

CNIL compliance compliance voluntary consent informed consent cookies RGPD trackers