Become Compliant with GDPR & CNIL Cookie Guidelines

• Can I Use Cookies And Other Tracking Technologies?
• How Do I Ask For Consent?
• Do I Have To Include A REJECT Button?
• What Cookies Are Allowed To Use Without Consent?
• How Does CNIL Treat Analytics Cookies?
• Can We Rely On Browser Settings For Use Of Cookies?
• What If The User Refuses The Cookies?
• Can We Ask For Cookie Consent From The Same User Again In The Future?
• How to comply with the CNIL cookie guidelines?
• How Secure Privacy Helps Businesses Comply with CNIL's Cookie Guidelines

Yes, you can use cookies, but only if you meet the legal requirements set out by the applicable laws, which means you need the user's explicit consent. If you don’t meet these requirements, using cookies and other tracking technologies is a violation of the laws.

Generally speaking, there are two types of cookies: essential and non-essential.

Essential cookies are necessary for the functioning of the website or the app. Without them, they won’t be working properly. That’s why you can use these cookies freely.

Non-essential cookies are not necessary for website or app functioning. The user could use the website without the cookies, therefore they are not essential. If you want to use such cookies and tracking technologies, you must obtain the user’s consent. If they agree, you can send them to their devices.

CNIL focuses more on what you must not do. Taking that into account, you have to obtain users’ consent for the use of cookies and tracking technologies in the same way you obtain it according to the GDPR. This means that you have to meet the following requirements:

• The consent must be given freely. The user should be free to choose whether to give you consent or not. In addition, you must not put a wall between the content and the user’s consent for the use of cookies, nor can you bundle it with the Terms of Use.
• The consent request must be well informed. It means that you must inform the user of your privacy practices at the moment of the request. Informing them that you use cookies and presenting them with a link to your privacy policy is a good practice to do this.
• The consent must be unambiguous. You have to show an ACCEPT and REJECT button. Showing only the ACCEPT button is not enough. You need affirmative action by the user.
• The consent must be specific. You have to obtain consent for each purpose of data collection. This means that if you have obtained consent for analytics purposes, you need new consent for data collection for marketing purposes.

Yes, you have to. It doesn’t necessarily have to use the word REJECT, but it should be a button that makes it clear that the user has refused the non-essential cookies.

Rejecting the cookies should be equally as easy as accepting the cookies.

Also, you have to make sure that the button for cookie rejection is easily visible.

You can use essential cookies without users’ consent. Essential cookies are necessary for the proper functioning of the website or app. This may include cookies for website navigation, cookies that remember the shopping cart choices, etc.

In general, a cookie is essential if it is necessary for getting the service from a user’s perspective.

CNIL has a favorable stance on analytics cookies. They are allowed as long as:

• Users can easily opt-out of such cookies
• The cookies’ purpose is only measuring the website audience (not remarketing as is the case with Google Analytics), and
• The analytics cookies must produce only anonymous results.

To comply with the GDPR, however, you still need consent for the use of analytics cookies.

No, CNIL explicitly says that relying on the browser settings is not acceptable. Many users do not know how to set the browser settings to accept or refuse cookies, therefore this doesn’t count as an informed request.

If the user refuses the cookies, you must not use them.

Of course, you can still use essential cookies freely, but nothing more than that.

According to CNIL Cookie Guidelines, yes, you can ask for consent again, but under certain conditions. These conditions are not clear. CNIL just implies what they could be, but doesn’t provide a straightforward answer, leaving it to you to decide on a case-to-case basis.

In general, you should save users’ choices. If the user refuses the cookies when they first arrive on the website, you should not ask them again while browsing from page to page.

A good practice, according to CNIL cookie guidelines, is to save these choices for up to 6 months. However, if you find that requesting consent again sooner is fit to the website’s purpose, then you can request consent again sooner.

Using a cookie consent management solution is a good practice that brings peace of mind.

Secure Privacy solution is compliant with the GDPR and the CNIL Cookie guidelines.

Secure Privacy comes packed with enterprise-level features that help you fully comply with CNIL's cookie guidelines and the GDPR overall.

The main features are;

• Advanced ongoing website scanning which allows you to know all types of cookies you have on your website
• highly customizable and stylish cookie consent banners with a universal preference center for users to opt-in and opt-out of the cookies and other tracking technologies
• Unique cross-domain consent capability that allows your users to manage their cookie preferences across different domains in a single step
• A privacy policy generator that gives you an automated way to create your cookie notice to meet GDPR disclosure requirements
•  Over 70 languages supported
• Logs and consents tracking in real-time to ensure you maintain records of the consent you receive from users in case it is requested by CNIL
• A future-proof GDPR compliance solution that also helps you comply with CCPA in California and LGPD in Brazil.

If you would like to receive additional information about Secure Privacy and GDPR Cookie Consent compliance or to have our data protection expert carry out a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy, book a call today.