French Data Protection Authority (DPA), CNIL, released its updated cookie guidelines in October 2020, to help businesses comply with GDPR cookie consent requirements.
CNIL’s latest consent guidelines are a follow-up to the initial guidance provided by the French regulator in July 2019, which came in the wake of the General Data Protection Regulation being adopted in the EU on May 25, 2018.
The French cookie guidelines follow in the footsteps of other European DPAs who have published similar requirements to help businesses obtain valid GDPR consent for their data processing activities. They include;
What is CNIL?
CNIL stands for Commission nationale de l’informatique et des libetres, which the French national data protection authority.
They have the power to enforce the data protection laws in France, which means they enforce:
- French Data Protection Act
- ePrivacy Directive
They receive complaints about non-compliance of businesses and may issue fines in the case of violations of the laws.
Aside from that, the CNIL publishes guidelines regarding certain data protection questions in order to clarify the subject matter and help business comply easily. The cookie guidelines are one of those documents.
To whom do CNIL cookie guidelines apply to?
CNIL cookie guidelines apply to you if your business:
- Is based in France and french territories overseas
- Collects and/or processes personal data of citizens and residents of France and french territories overseas
Basically, these are the same applicability principles as in the GDPR.
Generally speaking, there are two types of cookies: essential and non-essential.
Essential cookies are necessary for the functioning of the website or the app. Without them, they won’t be working properly. That’s why you can use these cookies freely.
Non-essential cookies are not necessary for website or app functioning. The user could use the website without the cookies, therefore they are not essential. If you want to use such cookies and tracking technologies, you must obtain the user’s consent. If they agree, you can send them to their devices.
How to ask for consent?
- The consent must be unambiguous. You have to show an ACCEPT and REJECT button. Showing only the ACCEPT button is not enough. You need affirmative action by the user.
- The consent must be specific. You have to obtain consent for each purpose of data collection. This means that if you have obtained consent for analytics purposes, you need a new consent for data collection for marketing purposes.
Do I have to include a REJECT button?
Yes, you have to. It doesn’t necessarily have to use the word REJECT, but it should be a button that makes it clear that the user has refused the non-essential cookies.
Rejecting the cookies should be equally as easy as accepting the cookies.
Also, you have to make sure that the button for cookie rejection is easily visible.
What cookies are allowed to use without consent?
You can use essential cookies without users’ consent. Essential cookies are necessary for the proper functioning of the website or app. This may include cookies for website navigation, cookies that remember the shopping cart choices, etc.
In general, a cookie is essential if it is necessary for getting the service from a user’s perspective.
How does CNIL treat analytics cookies?
CNIL has a favorable stance on analytics cookies. They are allowed as long as:
- Users can easily opt-out of such cookies
- The cookies’ purpose is only measuring the website audience (not remarketing as is the case with Google Analytics), and
- The analytics cookies must produce only anonymous results.
To comply with the GDPR, however, you still need consent for the use of analytics cookies.
What if the user refuses the cookies?
If the user refuses the cookies, you must not use them.
Of course, you can still use essential cookies freely, but nothing more than that.
If the user refuses the cookies, can we ask for cookie consent from the same user again in the future?
Yes, you can ask for consent again, but under certain conditions. These conditions are not clear. CNIL just implies what could they be, but doesn’t provide a straightforward answer, leaving it to you to decide on a case-to-case basis.
In general, you should save users’ choices. If the user refuses the cookies when they first arrive on the website, you should not ask them again while browsing from page to page.
A good practice, according to CNIL, is to save these choices for up to 6 months. However, if you find that requesting consent again sooner is fit to the website’s purpose, then you can request consent again sooner.
What if the user neither accepts nor refuse the cookies?
Does browsing the website means giving consent?
No, browsing the website doesn’t mean consent for non-essential cookies.
Remember that you have obtained consent only upon the user’s affirmative action. Browsing a website is not affirmative action, hence it cannot be considered lawful consent.
What if the user wants to withdraw their previously given consent?
If the user wants to withdraw the consent they have given to you, you must allow them to do so.
You have to enable users to withdraw the consent with the same easiness as they have given it.
This means that if you have obtained the consent through an easily visible cookie banner, then you must not hide the button for withdrawing consent on some corner of the website.
A good practice could be to include a visible “Manage my cookies” link or button or place a COOKIE button on each page bottom.
What’s the CNIL stance on cookie walls?
Similar to the EDPB, CNIL also forbids cookie walls.
Cookie walls are mechanisms denying users access to the website content without accepting the cookies and other tracking technologies. When presented with a cookie wall, the user has the choice between accepting the cookies and leaving the website.
Obtaining consent that way is not free. It is conditional, and therefore, is not valid.
If I have obtained cookie consent for a domain, do I have to collect consent for the subdomains as well?
No, that’s not necessary. Obtaining the user’s consent for a domain means consent for subdomain cookies as well.
However, if you use different types of cookies on your subdomains and domain, do not forget to obtain consent for each specific type.
What’s the commencement of the enforcement of CNIL cookie guidelines?
You have to comply with these guidelines starting from March 2021. That’s the end of the transition period allowed by the CNIL.
After that, the agency will start with corrective measures. According to the plans announced, they could issue fines for serious infringements of the guidelines.
How to comply with the CNIL cookie guidelines?
Using a cookie consent management solution is a good practice that brings peace of mind.
Secure Privacy solution is compliant with the GDPR and the CNIL guidelines.
How Secure Privacy Helps Businesses Comply with CNIL’s Cookie Guidelines
Secure Privacy comes packed with enterprise-level features that help you fully comply with CNIL’s cookie guidelines and the GDPR overall.
The main features are;
- Advanced ongoing website scanning which allows you to know all types of cookies you have on your website
- highly customizable and stylish cookie consent banners with a universal preference center for users to opt-in and opt-out of the cookies and other tracking technologies
- Unique cross-domain consent capability that allows your users to manage their cookie preferences across different domains in a single step
- Over 70 languages supported
- Logs and consents tracking in real-time to ensure you maintain records of the consent you receive from users in case it is requested by CNIL
- A future-proof GDPR compliance solution that also helps you comply with CCPA in California and LGPD in Brazil.
Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.
You might also be interested in;
Our detailed GDPR compliance guide
The ultimate guide to GDPR Cookie Consent Compliance