The CNIL has started to hunt down the cookie criminals!

Summary

ORIEL would like to share with you information concerning the cookies regulation issued by the CNIL (the French data protection authority), as part of its action plan on online advertising targeting. All companies that communicate via a website are concerned, so don’t hesitate to take a few minutes to read this very relevant article!

Foreword

The CNIL has issued a set of recommendations to bring you into compliance with the regulations on the use of cookies. Although the CNIL seems to be pedagogical, it does not intend to be laxist. The CNIL assures that it intends “to carry out controls to evaluate the application of the rules relating to trackers, in application of article 82 of the Data Protection Act and articles 4.11 and 7 of the GDPR on consent, as summarized in its guidelines”. ORIEL assists you in the demystification of the cookies regulation.

What is the legal framework?

The legal framework results from the e-Privacy Directive of 2002, amended in 2009. This text has been transposed into Article 82 of the French Data Protection Act and establishes the principle of prior consent from the user before storing information on his or her terminal or accessing information already stored on it.

The provisions of Article 82 of the Data Protection Act apply to all types of terminal used: computers, smartphones, digital tablets and video game consoles connected to the Internet as well as any other terminal equipment connected to a telecommunications network open to the public.

What is the background?

If you have a website for your company, you are de facto concerned by the obligation of compliance. This is a real and significant issue, as failure to comply with this regulation can result in very significant fines. For example, non-compliant digital giants such as Google and Amazon have been fined 100 and 35 million euros respectively. But such sanctions are no longer limited to large companies. On 14 June 2021, the company BRICO PRIVE, which is specialized in DIY and gardening, was fined €500,000 by the CNIL’s review panel. In fact, any company with a website or mobile application that collects cookies may now be subject to a CNIL control and possibly a fine, which may represent 2% of your turnover. It is therefore urgent to comply, especially since the adaptation period granted by the CNIL expired on 31 March 2021. Here we are more than a year after, and we can already see that a number of websites have updated their cookie banners! Your company is not in that club ? Don’t worry! We have prepared this practical sheet on the essential aspects of cookies compliance.

What needs to be brought into compliance

A. The user’s consent to the collection of cookies

First of all, when a user visits your website or mobile application, he or she must be informed of the use of cookies and must be able to accept or refuse cookies with the same degree of simplicity prior to the deposit or reading of cookies (Article 82 of the French Data Protection Act).

Consequently, the cookie banner must allow the user to consent to the deposit of cookies by a clear positive act. To do this, the CNIL recommends the integration of a “Refuse all” button in the same format as the “Accept all” button or the existence of a function allowing the user to refuse cookies by closing the cookie banner. In contrast, the arrangement of a transparent or smaller “decline all” button than the “accept all” button does not allow the user surfing on your website to benefit from the same degree of simplicity in accepting or declining cookies. Also, the “set” option, frequently found on various websites, has the effect of discouraging the user from refusing cookies. Finally, allowing the user to continue browsing the website or application does not, according to the CNIL, constitute a positive act of consent to the deposit of cookies.

Regarding “cookie walls”, conditioning the user’s access to the website to his/her consent to the collection of cookies, the French Administrative Supreme Court (“Conseil d’Etat”) stated it cannot be forbidden in general, and that the assessment of free consent must be made on a case-by-case basis (decision of the 19th of June, 2020). As this court decision raises questions about “free consent”, the CNIL published recommendations. There must be a “real and fair alternative” that allows the user to access the website without having to consent to cookies. The alternative of paying a sum of money is not prohibited, but the price must be reasonable.

The European Data Protection Board published guidelines concerning “Dark patterns” on social networks in March 2022. Some elements apply to any website, in particular regarding cookies. On that subject, the Board considers that humour in the cookie information and consent banner may misinform the Internet user and overshadow the content related to personal data. The example cited concerned a pun with cookies in baking. Information provided to users must be clear, visible, and distinct from other types of content. It is likely that the CNIL will use this analysis as a reference.

GOOD PRACTICES

• Allow the user to consent to the deposit of cookies by a clear positive act (Art 82 of the French Data Protection Act)
• The “Refuse All” button in the same format as the “Accept All” button
• Adopt certain compliant features
• Allow the user to refuse cookies by closing the cookie banner
• Collect consent via a checkbox unchecked by default or a switch to be activated which is disabled by default

BAD PRACTICES

• Avoiding a misleading design
• A transparent or smaller “decline all” button than the ‘accept all’ button
• A “parameter” button to refuse cookies
• Avoiding certain automatic features
• Being able to continue browsing the site is not equivalent to clear user consent
• Avoiding “Cookie Walls”, even if they are not specifically forbidden
• Avoiding (too much) humour

B. Information due to the user regarding the purpose of the use of cookies

At the same time as consent is obtained, the user must be able to know the purposes for which cookies are used (Article 13 of the GDPR). We advise you to set up a cookies banner appearing on the home page of your website, the content of which details the purposes for which cookies are deposited on users’ devices. When there are several processing operations responding to distinct purposes, the Internet user must be able to consent to each of the purposes. We strongly advise you not to be satisfied with the words “this site uses cookies” or “cookies are used to improve the efficiency of the services offered to you”, which are considered insufficient by the CNIL.
In addition, if the data you collect through cookies is intended for a third party, such as a data controller, be sure to inform the user of this.
Afterwards, remember to inform the user of their right to withdraw their consent easily and at any time!
Finally, think about using clear and simple terms that allow a good understanding for a user without technical or legal knowledge.

GOOD PRACTICES

• Displaying a cookie banner on the home page of the website detailing the purposes of the cookies
• Informing the user of the identity of the data controller
• Inform the user of their right to withdraw consent
• Use short and simple terms

BAD PRACTICES

• Avoid generic statements such as :
  • “This site uses cookies
  • “Cookies are used to improve the efficiency of the services offered to you”.
• Avoid technical or complex terms

Which cookies are exempt from consent?

A. Cookies exempted by the regulation

The consent requirement does not apply to all cookies. Certain types of cookies are exempted from these obligations, in particular those which :

have the sole purpose of enabling or facilitating communication by electronic means or,

are strictly necessary for the provision of an online communication service expressly requested by the user.

It is recommended to provide information about the use of these cookies. Among these uses, the CNIL cites :

• cookies used for audience measurement and more specifically those used to produce anonymous statistics, strictly necessary for the proper functioning of the service
• cookies that retain the choice expressed by users on the deposit of trackers
• cookies intended for authentication with a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robot access or unexpected access attempts
• trackers intended to keep track of the contents of a shopping basket on a commercial site or to invoice the user for the product(s) and/or service(s) purchased
• cookies for personalising the user interface (for example, for choosing the language or presentation of a service), where such personalisation is an intrinsic and expected element of the service
• cookies enabling load balancing of equipment contributing to a communication service;
• cookies enabling paying sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period)
• cookies whose purpose is limited to measuring the audience of the site or application, to meet various needs (measuring performance, detecting navigation problems, optimising technical performance or ergonomics, estimating the power of the servers required, analysing the content consulted, etc.).

B. Limits of the exemption

Beware: the processing of this personal data remains subject to the GDPR. Therefore, we advise you to check with the developer of your tool that he/she is contractually committed not to re-use the data that has been collected.

You should also be aware of any data transfers outside of the European Union that may be made by your solution-provider. Not all countries outside the European Union have an adequacy decision demonstrating a protection equivalent to that provided by the GDPR. A transfer of personal data must be supervised to guarantee protection of that data.

Finally, make sure that these cookies are only used to produce anonymous statistical data, and that the personal data collected cannot be cross-linked with other processing or transmitted to third parties, as these operations are not necessary for the functioning of the service.

Photos :

Julissa Capdevilla

Jason Dent