The Commission Nationale Informatique & Libertés (CNIL) is the French data protection agency. What exactly is CNIL? What should you do about it? Learn more about it right here!
What Is CNIL?
CNIL stands for Commission Nationale de l’informatique et des Libertés, the French national data protection authority. The French Data Protection Act of January 6, 1978 established CNIL France as an independent administrative authority responsible for ensuring the protection of personal data in computer files and processing operations, both public and private.
They have the authority to enforce the data protection laws in France, which means they enforce:
- French Data Protection Act
- GDPR
- ePrivacy Directive
They receive complaints about business non-compliance and may levy fines in cases of law violations.
Why Was the CNIL Established?
The CNIL was established in response to public outrage over the SAFARI program, a plan devised by the French government to assign a unique identifier to each French citizen and use that number to link all government records. This program sparked public concern that the entire French population would soon be recorded in files. This prompted the establishment of the CNIL in order to ensure that any advances in information technology were respectful of privacy, individual rights, and public liberties.
What Are the CNIL Cookie Guidelines?
On July 18, 2019, the CNIL published guidelines for the use of cookies and similar technologies (“Guidelines”) in France in order to align the rules with the EU General Data Protection Regulation ("GDPR"). However, the guidelines were partially annulled by the Highest Administrative Court of France (the “Conseil d’Etat”) on June 19, 2020. Notably, the Conseil d’Etat repealed the Guidelines provision that imposed an absolute ban on "cookie walls," which prevent users who do not consent to the use of cookies from accessing a website or mobile app. On the same day, CNIL issued a statement announcing that the Guidelines would be revised in accordance with the Conseil d'Etat's decision.
On October 1, 2020, CNIL published a revised version of the Guidelines, as well as its final recommendations on the practical modalities for obtaining users’ consent (“Recommendations”) and a set of questions and answers about the recommendations (“FAQs”).
To Whom Do CNIL Cookie Guidelines Apply?
The CNIL cookie guidelines apply to you if your business:
- is based in France and French territories overseas
- collects and/or processes personal data of French citizens and residents, as well as residents of French territories overseas
Basically, these are the same applicability principles as in the GDPR.
What Is the CNIL's Position on Cookie Walls?
Cookie walls are mechanisms that prevent users from accessing website content if they do not accept cookies and other tracking technologies. When confronted with a cookie wall, the user has the option of accepting the cookies or exiting the website.
The CNIL does not completely prohibit cookie walls. Cookie walls are permissible and legal in certain circumstances. Their legality must be determined on a case-by-case basis. When cookie walls are used, you have to ensure that you provide the user with clear information about the consequences when the user accepts or denies consent and, in particular, information about the impossibility of accessing the content or service without consent must be provided.
Rejection Or Withdrawal Of Consent
According to the Guidelines, users must be able to refuse consent to the use of cookies as easily as they can accept them. Users' inaction or silence (such as scrolling through and browsing) must be interpreted as a refusal to use cookies.
Furthermore, users must have the right to withdraw consent at any time, and withdrawal must be as simple as giving consent.
CNIL recently imposed hefty fines on Google and Facebook for failing to provide an equivalent solution (button or other), allowing Internet users to easily refuse the use of cookies. CNIL noted that refusing all cookies required several clicks as opposed to accepting them with a single click. As a result, Google received a sanction of 150 million Euros, while Facebook received a sanction of 60 million Euros.
Criteo, a global advertising technology company, has also been fined EUR 40 million by the French data protection authority for violating the General Data Protection Regulation (GDPR).
What Does the CNIL Say About Cookie Exemptions?
As a general rule, prior to deploying cookies on users' devices, users' consent must be obtained for each category or purpose of cookies. However, some cookies are exempt from the consent requirement. These are cookies that are strictly necessary for the website's operation and for the provision of services requested by users. The strictly necessary cookies are listed as below:
- cookies that store the user's preference for cookie use;
- cookies used for service authentication (i.e., to improve the security of the authentication mechanism, such as by limiting robotic or unexpected access attempts);
- cookies designed to save the contents of a user's shopping cart on a merchant website or to bill the user for the products or services purchased;
- cookies used for user interface customization (i.e., language selection), when such customization is an inherent and expected part of the service;
- cookies that enable the load balancing of the equipment used in a communication service;
- cookies that enable paying websites to limit free access to a sample of content requested by users.
Furthermore, the Guidelines state that cookies used for audience measurement (i.e., analytics cookies) may be exempted from the consent requirement in certain circumstances. However, it must be noted that Google Analytics is treated differently from other analytics cookies. The CNIL recognizes cookies used for website traffic or performance analysis as necessary for a website's proper and effective operation. It enables the use of analytics cookies as long as they are only used to generate anonymous or aggregated statistical data and are not combined with other data or used to identify users.
Other CNIL recommendations
In addition to the CNIL cookie guidelines, the French DPA provided recommendations for following the cookie guidelines. The following are some of the most salient points from the CNIL recommendations:
- Before presenting individuals with the option to accept or reject cookies, the cookie consent banner must provide information about the purpose of cookies or the cookie category.
- The purpose of the cookie or the cookie category must be presented with a brief and highlighted title, followed by a brief description of the purpose.
- The consent banner must include a link that points to a page (which can be privacy or cookie policy page) that contains detailed information about the data controllers, processors, and third parties.
- The "Accept All” and “Reject All” buttons must be at the same level and prominence.
- The cookie opt-in option must not include pre-ticked boxes or pre-activated toggle switches. If a user does not take any action or misses these options, the website should not load the cookies.
- Allow users to provide consent for different cookie categories separately. It is possible to do so by using a “settings/customize/preference” button or link.
- The website must keep consent choices, whether accepted or rejected, for at least 6 months so that it does not ask for consent every time the same user visits.
CNIL Cookie Banner Examples
In its cookie recommendations, the CNIL has made several design recommendations for cookie banners.
1. The option of providing granular consent may be provided on a second level of information via a "Personalize my choices" button inserted on the same level of information (first level) as the "Accept all" and "Refuse everything" buttons.
2. The user can refuse to deposit and read trackers by clicking "Continue without accepting."
3. Purpose details can be found by clicking on a hyperlink on the first level of information.
4. The detail of the purposes is available via a drop-down button on the first level of information that the user can activate.
5. A "Manage my cookies" icon located at the bottom left of the screen can be used to manage and withdraw consent.
Checklist for CNIL recommendations
The checklist below will help you stay in compliance with the CNIL cookie guidelines.
▢ Create a cookie consent banner to collect users’ consent to use cookies
▢ Do not place cookies without first obtaining consent, except for essential cookies
▢ Have a “settings/customize/preference” button or link to allow users to choose what they consent to and to stay informed about cookies or cookie categories
▢ Collect consent for each category of processing
▢ To be on the safe side, avoid using cookie walls
▢ Provide explicit information about the use of cookies, as well as the purposes for which they are used
▢ If you use analytics cookies, you can place them without asking for consent only if they collect anonymous statistical data.
▢ Provide “accept all” and “reject all” options, as well as any other mechanism for accepting or refusing cookies in the same manner and with equal prominence.
▢ Provide a setting or link to revert the banner or revoke consent.
▢ Maintain logs of the user consent choice.
How To Comply With The CNIL Cookie Guidelines?
Using a cookie consent management solution is a good practice that will provide you with peace of mind.
Secure Privacy’s CNIL solution is compliant with the GDPR and the CNIL Cookie guidelines.
How Secure Privacy Helps Businesses Comply With CNIL’s Cookie Guidelines
Secure Privacy comes packed with enterprise-level features that will help you fully comply with CNIL’s cookie guidelines and the GDPR in general.
Read our blog to get a simplified breakdown of the latest EDPB Cookie Consent Guidelines.
The main features are:
- Advanced ongoing website scanning which allows you to see all of the cookies on your website
- Cookie consent banners that are highly customizable and stylish, with a universal preference center for users to opt-in and opt-out of the cookies and other tracking technologies
- Unique cross-domain consent capability that allows your users to manage their cookie preferences across different domains in a single step
- A privacy policy generator that automates the creation of your cookie notice in order to meet GDPR disclosure requirements
- Over 70 languages supported
- Real-time logs and consents tracking to ensure you maintain records of the consent you receive from users in case CNIL requests it
- A future-proof GDPR compliance solution that is also compliant with CCPA in California and LGPD in Brazil.
Book a call today if you would like more information about Secure Privacy and GDPR Cookie Consent compliance, or if you would like our data protection expert to perform a quick 'check-up' of your website, cookie consent banner, or cookie policy.
Alternatively, you can sign up for a free trial of our complete GDPR compliance solution here.
Relevant Links
CNIL Cookie Guidelines (available in French)
CNIL Recommendations (available in French)
CNIL FAQs on Cookies (available in French)
