The French Data Protection Authority releases new guidelines for cookies
The French Data Protection Authority (Commission nationale de l’informatique et des libertés or “CNIL” ») receives many individual and collective complaints (La Quadrature du Net, Privacy International, NOYB) relating to online marketing. In 2018, 21% of the complaints were related to marketing in the broad sense.
Meanwhile, online marketing professionals and their representatives are seeking to better understand their obligations under the General Data Protection Regulation (“GDPR”).
Pending the adoption of the forthcoming ePrivacy Regulation, the CNIL has released new guidelines.
Currently applicable legislation
The online marketing sector is subject to two regulations with demanding conditions, in particular with regard to consent: the GDPR and domestic provisions that have been adopted to transpose into national law the 2002 Directive on the protection of privacy in the electronic communications sector, as amended in 2009, (known as the “ePrivacy” Directive).
Article 82 of the French Data Protection Act transposed into French law the aforementioned Directive. It reads as follows:
“Any subscriber or user of an electronic communications service must be informed in a clear and comprehensive manner, unless he has been informed in advance, by the controller or his representative of:
1° The purpose of any action to access, by electronic transmission, information already stored in his/her electronic communications terminal equipment, or to record information in such equipment;
2° The means at his/her disposal to oppose it.
Such access or registration may only take place if the subscriber or user person has expressed, after having received this information, his/her consent, which may result from appropriate parameters of his/her connection device or any other device under his control.
These provisions shall not apply if access to information stored in the user’s terminal equipment or registration of information in the user’s terminal equipment:
1° either has the exclusive purpose of allowing or facilitating communication by electronic means, or
2° is strictly necessary for the provision of an online communication service at the express request of the user.”
As such, this article imposes the obligation, subject to certain exceptions, to obtain the consent of users before any operation to write or read cookies or other trackers.
With the entry into force of the GDPR on May 25, 2018, the consent requirements have been strengthened.
The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Article 7 provides for the following conditions for consent:
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Pending the future regulation on “privacy and electronic communications”, otherwise known as “ePrivacy”, currently under discussion at the European level, the French Data Protection Authority has repealed its guidelines on cookies dating back to 2013 and adopted new guidelines in line with the new provisions of the GDPR. By the end of the year, it is also expected to publish, for public consultation, a new recommendation on consent collection.
Collection of consent
Free consent: the practice of blocking access to a website or mobile app. for those who do not consent to be tracked (“cookie walls”) is not compliant with the GDPR. The French Data Protection Authority recalls that the data subject must be able to give his or her consent independently and specifically for each distinct purpose. As such, the global acceptance of general terms of use cannot be a valid method of obtaining consent, insofar as it cannot be given separately for each purpose.
Informed consent: the notice must be drafted in terms that are simple and intelligible for all, and must allow users to be informed about the different purposes of the trackers being used. The French Data Protection Authority recalls that the information provided must be comprehensive, visible and easily accessible at the time of collecting consent. A mere cross-reference to the general terms of use is not sufficient.
Unambiguous consent: the user must give consent by means of an affirmative action after being informed of the consequences of his/her choice and the means to exercise it. The French Data Protection Authority specifies that continuing to navigate a website or to use a mobile app. does not constitute an affirmative action and thus does not constitute valid consent. Similarly, the use of pre-ticked boxes, as well as the general acceptance of the general terms of use, cannot be considered as an affirmative action signifying consent.
Evidence of consent
Article 7 of the GDPR requires that proof of consent must be demonstrated, which means that organizations which use trackers must implement mechanisms allowing them to demonstrate at all times that they have validly obtained the consent of users.
Wherever an organization does not collect consent itself, the French Data Protection Authority recalls that such an obligation cannot be fulfilled by the mere presence of a contractual clause committing one of the organizations to obtain valid consent on behalf of the other party.
Withdrawal of consent
The French Data Protection Authority recalls that it must be as simple to refuse or to withdraw consent as it is to give it.
This means, in particular, that people who have consented to the use of trackers must be given the possibility to withdraw their consent at all time.
Responsibilities
The GDPR has introduced the concepts of data processor’s liability and joint data controllers.
As such, the French Data Protection Authority specifies that where several stakeholders contribute to the performance of reading or writing operations covered by the guidelines (e.g. a website publisher and an advertising agency placing trackers when consulting a website), these stakeholders may be considered as “sole” controllers, joint controllers or data processors:
- In some cases, third-parties using trackers will be fully and independently responsible for the trackers they implement, which means that they will have to assume independently the obligation to obtain the consent of users.
- In the case of joint controllers, where the controllers jointly determine the purposes and means of the processing, the French Data Protection Authority points out that, as per Article 26 of the GDPR, they must define in a transparent manner their respective obligations in order to ensure compliance with the requirements of the GDPR, in particular with regard to the collection and proof, where applicable, of a valid consent.
- Lastly, a data processor is defined as an entity who installs information and/or has access to information stored on the terminal device of a subscriber or use, exclusively on behalf of a data controller without re-using for its own purpose the data collected via the tracker. The French Data Protection Authority recalls that if a data processing relationship is established, the controller and the data processor must enter into a data processing agreement or another legal instrument specifying the obligations of each party, in compliance with the provisions set forth in Article 28 of the GDPR.
To comply with these new rules, the French Data Protection Authority grants to stakeholders a period of 6 months but it specified this adaptation period will not prevent it from fully monitoring compliance with the other obligations that have not been modified and, if necessary, from adopting corrective measures to protect the privacy of Internet users. In particular, according to the French Data Protection Authority, stakeholders must respect the prior collection of consent for the installation of trackers, allow access to the service in case of refusal to consent, and provide a mechanism for withdrawing consent that is easy to access and to use.