Our article of July 24 addressed the central issue of consent as posed by the CNIL in its guidelines on cookies and other trackers. The present article proposes to analyze the other points of the guidelines concerned.

The roles and responsibilities of the actors

The CNIL considers that third parties using trackers will be fully and independently responsible for the trackers they implement, which means that they will have to independently assume the obligation to obtain users' consent.
In the case of joint responsibility, where the controllers jointly determine the purposes and means of the processing, the Commission recalls that under Article 26 of the European General Data Protection Regulation (GDPR), they will have to define in a transparent manner their respective obligations for the purpose of ensuring compliance with the requirements of the GDPR, in particular as regards the collection and demonstration, where applicable, of valid consent.
An actor is qualified as a processor if it registers information and/or accesses information stored in a subscriber's or user's terminal equipment exclusively on behalf of a controller and without reusing the data collected via the tracker on its own behalf. The Commission recalls that if a processing relationship is established, the controller and the processor must draw up a contract or other legal act specifying the obligations of each party, in compliance with the provisions of Article 28 of the GDPR.

Terminal settings

Article 82 of the French Data Protection Act (LIL) of January 6, 1978 specifies that consent may result from appropriate settings of the person's connection device or any other device under his or her control.
The Commission considers that these browser settings cannot, given the state of the art, allow the user to express valid consent. The CNIL thus questions an article of the law by putting forward a state of the art that would not be mature enough to ensure a valid consent through a browser setting. There is no doubt that with this position, further adjustments will be necessary, whether legislative or at the level of the control authority.

The specific case of the tracers of audience measurement

The CNIL considers that processing operations that meet the following conditions may be exempted from the requirement to obtain consent:

  • They are implemented by the editor of the site or by his subcontractor;
  • The person must be informed prior to their implementation;
  • It must have the option of objecting through an objection mechanism;
  • The purpose of the system must be limited to measuring the audience of the content viewed, to segmenting the website audience into groups of people in order to evaluate the effectiveness of editorial choices, without this leading to the targeting of a single person and to the dynamic modification of a site in a global way. The personal data collected must not be cross-referenced with other processing (e.g., customer files or statistics on visits to other sites) or transmitted to third parties. The use of tracers must also be strictly limited to the production of anonymous statistics. Its scope must be limited to a single site or mobile application editor and must not allow the tracking of the navigation of the person using different applications or browsing different websites;
  • The use of the IP address to geolocate the Internet user must not provide information more precise than the city. The collected IP address must also be deleted or anonymized once the geolocation is done;
  • The tracers used by these treatments must not have a life span exceeding thirteen months and this life span must not be automatically extended during new visits. The information collected through the tracers must be kept for a maximum period of twenty-five months.

With this new deliberation, the CNIL repeals its deliberation n° 2013-378 of December 5, 2013 and thus modifies its doctrine on cookies and other tracers.

Next steps

After consultation with professionals and civil society over the next few months, followed by a public consultation, a final recommendation will be published in March 2020. A period of adaptation, lasting six months from the publication of the future recommendation, will be left to the players to give them time to integrate the new rules. Ideally, but without any guarantee, this doctrinal turnaround will coincide with the final version of the ePrivacy regulation, currently being drafted by the European Council under the Finnish Presidency. Indeed, too much regulation and the political will to create European digital champions may not go well together.

 

IP address CNIL compliance compliance consent cookies trackers