• GDPR
December 1, 2020

CNIL Cookie Guidelines: How to Obtain Consent in 4 Easy Steps

This article explores the CNIL Cookie Guidelines published in October 2020.

CNIL Cookie Guidelines published in October 2020 come in the wake of several EU Data Protection Authorities updating their compliance requirements to help businesses meet GDPR cookie consent obligations.

CNIL's, the French DPA, latest consent guidelines are a follow-up to the initial guidance provided by the French regulator in July 2019, which came in the wake of the General Data Protection Regulation being adopted in the EU on May 25, 2018.

Other European DPAs who have published similar requirements to help businesses obtain valid GDPR consent for their data processing activities include;

Irish Data Protection Commission

The Belgian Data Protection Authority

Germany’s DSK

Spanish AEPD Cookie Guidelines: The Ultimate Guide

The Dutch DPA's Cookie Consent Guidelines

Greek DPA Cookie Consent Guidelines:

What is CNIL?

CNIL stands for Commission nationale de l’informatique et des libetres, which the French national data protection authority.

They have the power to enforce the data protection laws in France, which means they enforce:

  • French Data Protection Act
  • GDPR
  • ePrivacy Directive

They receive complaints about non-compliance of businesses and may issue fines in the case of violations of the laws.

Aside from that, the CNIL published guidelines regarding certain data protection questions in order to clarify the subject matter and help business comply easily. The cookie guidelines are one of those documents.

To whom do CNIL Cookie Guidelines apply to?

CNIL cookie guidelines apply to you if your business:

  • Is based in France and french territories overseas
  • Collects and/or processes personal data of citizens and residents of France and french territories overseas

Basically, these are the same applicability principles as in the GDPR.

Can I use cookies and other tracking technologies?

Yes, you can use cookies, but only if you meet the legal requirements set out by the applicable laws. If you don’t meet these requirements, using cookies and other tracking technologies is a violation of the laws.

Generally speaking, there are two types of cookies: essential and non-essential.

Essential cookies are necessary for the functioning of the website or the app. Without them, they won’t be working properly. That’s why you can use these cookies freely.

Non-essential cookies are not necessary for website or app functioning. The user could use the website without the cookies, therefore they are not essential. If you want to use such cookies and tracking technologies, you must obtain the user’s consent. If they agree, you can send them to their devices.

How Do I Ask for Consent in Compliance with CNIL Cookie Guidelines?

CNIL focuses more on what you must not do. Having that into account, you have to obtain users’ consent for the use of cookies and tracking technologies in the same way you obtain it according to the GDPR. This means that you have to meet the following requirements:

  • The consent must be given freely. The user should be free to choose whether to give you consent or not. In addition, you must not put a wall between the content and the user’s consent for the use of cookies, nor you can bundle it with the Terms of Use.
  • The consent request must be well informed. It means that you must inform the user for your privacy practices at the moment of the request. Informing them that you use cookies and presenting them with a link to your privacy policy is a good practice to do this.
  • The consent must be unambiguous. You have to show an ACCEPT and REJECT button. Showing only the ACCEPT button is not enough. You need affirmative action by the user.
  • The consent must be specific. You have to obtain consent for each purpose of data collection. This means that if you have obtained consent for analytics purposes, you need a new consent for data collection for marketing purposes.

According to CNIL Cookie Guidelines, Do I have to include a REJECT button?

Yes, you have to. It doesn’t necessarily have to use the word REJECT, but it should be a button that makes it clear that the user has refused the non-essential cookies.

Rejecting the cookies should be equally as easy as accepting the cookies.

Also, you have to make sure that the button for cookie rejection is easily visible.

What cookies are allowed to use without consent under CNIL Cookie Guidelines?

You can use essential cookies without users’ consent. Essential cookies are necessary for the proper functioning of the website or app. This may include cookies for website navigation, cookies that remember the shopping cart choices, etc.

In general, a cookie is essential if it is necessary for getting the service from a user’s perspective.

How does CNIL treat analytics cookies?

CNIL has a favorable stance on analytics cookies. They are allowed as long as:

  • Users can easily opt-out of such cookies
  • The cookies’ purpose is only measuring the website audience (not remarketing as is the case with Google Analytics), and
  • The analytics cookies must produce only anonymous results.

To comply with the GDPR, however, you still need consent for the use of analytics cookies.

Can we rely on browser settings for use of cookies?

No, CNIL explicitly says that relying on the browser settings is not acceptable. Many users do not know how to set the browser settings to accept or refuse cookies, therefore this doesn’t count as an informed request.

What if the user refuses the cookies?

If the user refuses the cookies, you must not use them.

Of course, you can still use essential cookies freely, but nothing more than that.

If the user refuses the cookies, can we ask for cookie consent from the same user again in the future?

According to CNIL Cookie Guidelines, yes, you can ask for consent again, but under certain conditions. These conditions are not clear. CNIL just implies what could they be, but doesn’t provide a straightforward answer, leaving it to you to decide on a case-to-case basis.

In general, you should save users’ choices. If the user refuses the cookies when they first arrive on the website, you should not ask them again while browsing from page to page.

A good practice, according to CNIL cookie guidelines, is to save these choices for up to 6 months. However, if you find that requesting consent again sooner is fit to the website’s purpose, then you can request consent again sooner.

What if the user neither accepts nor refuse the cookies?

under CNIL cookie guidelines, silence means refusal. If the user remains on the website without reacting to your cookie banner, you must not use cookies because the user has not provided consent explicitly through a confirmative action.

Does browsing the website means giving consent?

No, browsing the website doesn’t mean consent for non-essential cookies. Instead, compliance requirements under CNIL cookie guidelines term this practice as violating GDPR cookie consent obligations.

Remember that you have obtained consent only upon the user’s affirmative action. Browsing a website is not affirmative action, hence it cannot be considered lawful consent.

What if the user wants to withdraw their previously given consent?

If the user wants to withdraw the consent they have given to you, you must allow them to do so.

You have to enable users to withdraw the consent with the same easiness as they have given it.

This means that if you have obtained the consent through an easily visible cookie banner, then you must not hide the button for withdrawing consent on some corner of the website.

A good practice could be to include a visible “Manage my cookies” link or button or place a COOKIE button on each page bottom.

What’s the CNIL stance on cookie walls?

Similar to the EDPB, CNIL also forbids cookie walls.

Cookie walls are mechanisms denying users access to the website content without accepting the cookies and other tracking technologies. When presented with a cookie wall, the user has the choice between accepting the cookies and leaving the website.

Obtaining consent that way is not free. It is conditional, and therefore, is not valid.

If I have obtained cookie consent for a domain, do I have to collect consent for the subdomains as well?

No, that’s not necessary. Obtaining the user’s consent for a domain means consent for subdomain cookies as well.

However, if you use different types of cookies on your subdomains and domain, do not forget to obtain consent for each specific type to guarantee your website's compliance with CNIL cookie guidelines.

What’s the commencement of the enforcement of CNIL cookie guidelines?

You have to comply with these guidelines starting from March 2021. That’s the end of the transition period allowed by the CNIL.

After that, the agency will start with corrective measures. According to the plans announced, they could issue fines for serious infringements of the guidelines.

How to comply with the CNIL cookie guidelines?

Using a cookie consent management solution is a good practice that brings peace of mind.

Secure Privacy solution is compliant with the GDPR and the CNIL Cookie guidelines.

How Secure Privacy Helps Businesses Comply with CNIL's Cookie Guidelines

Secure Privacy comes packed with enterprise-level features that help you fully comply with CNIL's cookie guidelines and the GDPR overall.

The main features are;

  • Advanced ongoing website scanning which allows you to know all types of cookies you have on your website
  • highly customizable and stylish cookie consent banners with a universal preference center for users to opt-in and opt-out of the cookies and other tracking technologies
  • Unique cross-domain consent capability that allows your users to manage their cookie preferences across different domains in a single step
  • A privacy policy generator that gives you an automated way to create your cookie notice to meet GDPR disclosure requirements
  •  Over 70 languages supported
  • Logs and consents tracking in real-time to ensure you maintain records of the consent you receive from users in case it is requested by CNIL
  • A future-proof GDPR compliance solution that also helps you comply with CCPA in California and LGPD in Brazil.

If you would like to receive additional information about Secure Privacy and GDPR Cookie Consent compliance or to have our data protection expert carry out a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy, book a call today.

Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.

You might also be interested in;

Our detailed GDPR compliance guide 

The ultimate guide to GDPR Cookie Consent Compliance

Secure Privacy dashboard

Want to try
Secure Privacy?

Get your free cookie banner up and running today!

Blog Posts
That also interest you