How to have a GDPR-compliant cookie banner

Following the CNIL guidelines publication on cookies and tracers, a certain number of criteria must be respected in order to ensure the compliance of its cookie banner.

What is a cookie or tracer?

While surfing the Internet, various actors are following your habits of consultation, consumption, movement, and navigation,... for a purely lucrative purpose. Placing cookies on your device, it allows companies to provide so-called “targeted” advertisements or other personalized services based on your behaviors. All this collected data is a gold mine and is subject to different legislation.

However, some cookies are exempt from consent because they are considered as “essential” or “technical” and are necessary for the proper functioning of the website. For example, an “Analytics” type of cookie cannot legally be considered as essential.

Who is responsible?

It is mandatory to collect consent and inform users about the purpose of the data collected via a GDPR-compliant cookie banner. The following actors are responsible:

• Publishers of websites and mobile applications
• Advertising agencies
• Social networks

What does the law say?

When users visit a website, they must be informed and give their consent prior to the deposit or reading of cookies or other trackers (unless these are exempt from consent). This act is carried out by using a cookie banner and this one must comply with the GDPR and CNIL’s recommendations.

Users must be clearly and fully informed about the purpose of the information stored in their equipment. These visitors must also be able to oppose it in a simple way. In practice, this translates into a “refuse all” option in the same way as the “accept all” option on its banner. An error often observed is the absence of this button, which is mandatory and therefore makes the banner useless and not GDPR compliant.

Collecting valid consent on your cookie banner requires following a number of requirements:

• First of all the end user must be clearly informed. This option must be clearly presented at the time of the user's choice.
• Simple and understandable wording must be used.
• A brief description is tolerated for display reasons and clarity but it is strongly recommended to offer a more complete and detailed description in a cookie policy for example. This one needs to be regularly updated.
• You should also be able to give the visitor the opportunity to consent by a “clear positive act”. The CNIL also specifies and recommends not to use “misleading design practices”. This could be defined as an example in an ultra-visible “Accept All” button and a hidden “Decline All” button at the top right, definitely not recommended and not GDPR compliant!
• Allow choice by purpose. It is recommended to obtain specific consent for each purpose, as offered for example by the SP cookie banner and its preference center.
• The exercise of these choices must be carried out with the same degree of simplicity. The visitor's choice must “in principle” be recorded so they are not requested to fill this information again. The SP solution with its consent management tool allows you to record each consent independently and in compliance with the GDPR.
• The user must also be able to reverse their decision at any time. The CNIL recommends here a link at the bottom of the page, for example, or a cookie management button available at any time on the page, as SP offers with its Trust Badge.

All these recommendations are governed by a clearly defined legal framework:

• Article 5(3) of Directive 2002/58/EC amended in 2009 lays down the principle
• Article 82 of the Data Protection Act transposes these provisions into French law.
• Article 29 of Ordinance No. 2018-1125 of December 12, 2018
• GDPR Articles 4(11) and 7
• The guidelines of September 17, 2020

In 2021, the CNIL more than ever checked the proper execution and compliance with the points mentioned but also sanctioned unscrupulous companies. More than 14,000 complaints have been filed and this number is only increasing.

It is essential to act with parsimony and caution when processing personal data. Some companies are showing initiative by adopting “Privacy by Design” approaches. All these elements help to improve the feeling of trust as well as transparency with its visitors. In addition to the legal aspect, it is a civic act of respect.

For more details on how your cookie banner must comply with the GDPR