ORIEL would like to share with you information concerning the cookies regulation issued by the CNIL (the French data protection authority), as part of its action plan on online advertising targeting. All companies that communicate via a website are concerned, so don’t hesitate to take a few minutes to read this very relevant article!
The CNIL has issued a set of recommendations to bring you into compliance with the regulations on the use of cookies. Although the CNIL seems to be pedagogical, it does not intend to be laxist. The CNIL assures that it intends “to carry out controls to evaluate the application of the rules relating to trackers, in application of article 82 of the Data Protection Act and articles 4.11 and 7 of the GDPR on consent, as summarized in its guidelines”. ORIEL assists you in the demystification of the cookies regulation.
The legal framework results from the e-Privacy Directive of 2002, amended in 2009. This text has been transposed into Article 82 of the French Data Protection Act and establishes the principle of prior consent from the user before storing information on his or her terminal or accessing information already stored on it.
The provisions of Article 82 of the Data Protection Act apply to all types of terminal used: computers, smartphones, digital tablets and video game consoles connected to the Internet as well as any other terminal equipment connected to a telecommunications network open to the public.
If you have a website for your company, you are de facto concerned by the obligation of compliance. This is a real and significant issue, as failure to comply with this regulation can result in very significant fines. For example, non-compliant digital giants such as Google and Amazon have been fined 100 and 35 million euros respectively. But such sanctions are no longer limited to large companies. On 14 June 2021, the company BRICO PRIVE, which is specialized in DIY and gardening, was fined €500,000 by the CNIL’s review panel. In fact, any company with a website or mobile application that collects cookies may now be subject to a CNIL control and possibly a fine, which may represent 2% of your turnover. It is therefore urgent to comply, especially since the adaptation period granted by the CNIL expired on 31 March 2021. Here we are more than a year after, and we can already see that a number of websites have updated their cookie banners! Your company is not in that club ? Don’t worry! We have prepared this practical sheet on the essential aspects of cookies compliance.
First of all, when a user visits your website or mobile application, he or she must be informed of the use of cookies and must be able to accept or refuse cookies with the same degree of simplicity prior to the deposit or reading of cookies (Article 82 of the French Data Protection Act).
Consequently, the cookie banner must allow the user to consent to the deposit of cookies by a clear positive act. To do this, the CNIL recommends the integration of a “Refuse all” button in the same format as the “Accept all” button or the existence of a function allowing the user to refuse cookies by closing the cookie banner. In contrast, the arrangement of a transparent or smaller “decline all” button than the “accept all” button does not allow the user surfing on your website to benefit from the same degree of simplicity in accepting or declining cookies. Also, the “set” option, frequently found on various websites, has the effect of discouraging the user from refusing cookies. Finally, allowing the user to continue browsing the website or application does not, according to the CNIL, constitute a positive act of consent to the deposit of cookies.
Regarding “cookie walls”, conditioning the user’s access to the website to his/her consent to the collection of cookies, the French Administrative Supreme Court (“Conseil d’Etat”) stated it cannot be forbidden in general, and that the assessment of free consent must be made on a case-by-case basis (decision of the 19th of June, 2020). As this court decision raises questions about “free consent”, the CNIL published recommendations. There must be a “real and fair alternative” that allows the user to access the website without having to consent to cookies. The alternative of paying a sum of money is not prohibited, but the price must be reasonable.
The European Data Protection Board published guidelines concerning “Dark patterns” on social networks in March 2022. Some elements apply to any website, in particular regarding cookies. On that subject, the Board considers that humour in the cookie information and consent banner may misinform the Internet user and overshadow the content related to personal data. The example cited concerned a pun with cookies in baking. Information provided to users must be clear, visible, and distinct from other types of content. It is likely that the CNIL will use this analysis as a reference.
At the same time as consent is obtained, the user must be able to know the purposes for which cookies are used (Article 13 of the GDPR). We advise you to set up a cookies banner appearing on the home page of your website, the content of which details the purposes for which cookies are deposited on users’ devices. When there are several processing operations responding to distinct purposes, the Internet user must be able to consent to each of the purposes. We strongly advise you not to be satisfied with the words “this site uses cookies” or “cookies are used to improve the efficiency of the services offered to you”, which are considered insufficient by the CNIL.
In addition, if the data you collect through cookies is intended for a third party, such as a data controller, be sure to inform the user of this.
Afterwards, remember to inform the user of their right to withdraw their consent easily and at any time!
Finally, think about using clear and simple terms that allow a good understanding for a user without technical or legal knowledge.
The consent requirement does not apply to all cookies. Certain types of cookies are exempted from these obligations, in particular those which :
have the sole purpose of enabling or facilitating communication by electronic means or,
are strictly necessary for the provision of an online communication service expressly requested by the user.
It is recommended to provide information about the use of these cookies. Among these uses, the CNIL cites :
Beware: the processing of this personal data remains subject to the GDPR. Therefore, we advise you to check with the developer of your tool that he/she is contractually committed not to re-use the data that has been collected.
You should also be aware of any data transfers outside of the European Union that may be made by your solution-provider. Not all countries outside the European Union have an adequacy decision demonstrating a protection equivalent to that provided by the GDPR. A transfer of personal data must be supervised to guarantee protection of that data.
Finally, make sure that these cookies are only used to produce anonymous statistical data, and that the personal data collected cannot be cross-linked with other processing or transmitted to third parties, as these operations are not necessary for the functioning of the service.
Photos :