CNIL Guidelines On Cookies And Other Trackers
Published date | 21 December 2020 |
Subject Matter | Privacy, Data Protection |
Law Firm | Arent Fox LLP |
Author | Miss Eva Pulliam and Christine Chong |
The Commission nationale de l'informatique et des libertés (CNIL) is the national data protection authority in France.
Recently, it announced new guidance on cookies and online trackers (Guidelines). Operators of websites and devices, such as tablets or computers, (Operators) that fall under CNIL's authority are required to comply with these Guidelines. CNIL has authority over information systems that process personal data in France. For Operators that process personal data across multiple member states, additional data protection authorities may have jurisdiction as well. Other Operators will benefit from reviewing the requirements for best practice purposes.
Scope
The Guidelines are particularly applicable to Operators' use of HTTP cookies, as well as other technologies such as:
- Local shared objects frequently referred to as "Flash cookies;"
- Local storage;
- Fingerprinting identifications;
- Identifiers generated by operating systems, such as an Android ID; and
- Hardware identifiers, such as a MAC address.
These are most commonly used on websites, as well as devices, such as connected televisions and other devices connected to the Internet. Further, the Guidelines will apply to all Operators that process data for French residents.
Cookie Walls
France's court ruling from earlier this year held that CNIL cannot completely forbid "cookie walls," which are website designs that require a user to accept cookies before being able to access the contents of the website. However, CNIL has edited its Guidelines to state that the lawfulness of cookies walls must be assessed on a case-by-case basis. In the event that a cookie wall is used, the user should be clearly notified that it is impossible to access content without consent. Otherwise, the cookie wall or banner should shortly go away, so it does not interfere with the user's access to the content or otherwise sway the user to consent.
Accept and Deny Options
CNIL states the following for ensuring appropriate consent is received:
- Equal Accessibility. In line with similar statements from other regulators, CNIL emphasizes that a "deny" or "refuse" option must be as equally accessible as an "accept" option when collecting consent.
- Design. The design of the consent options are also important, so the "deny" option should be just as large and prominent as the "accept" option The formatting for each option should be identical or equivalent Universal "accept all" or "refuse all" options are acceptable to capture...
To continue reading
Request your trial