Cookies and other tracers: the CNIL publishes amending guidelines and its recommendation
Article 82 of the Data Protection Act transposes into French law Article 5.3 of Directive 2002/58 / EC "privacy and electronic communications" (or "ePrivacy"). In particular, it provides for the obligation, with some exceptions, to obtain the consent of Internet users before any operation of writing or reading cookies and other tracers.
I-The main stages
In 2013, the CNIL adopted a first recommendation to guide the players in the implementation of the texts governing at the time reading and writing operations by cookies.
On May 25, 2018, the entry into force of the General Data Protection Regulation (GDPR) reinforced the requirements for the validity of consent, rendering part of this recommendation obsolete.
As part of its action plan on advertising targeting, the CNIL has therefore undertaken to update its reference frameworks in two stages.
On July 4, 2019, the CNIL thus adopted guidelines recalling the applicable law. These were adjusted on September 17, 2020 to draw the consequences of the decision rendered on June 19, 2020 by the Council of State.
At the same time, the CNIL also decided to draw up a draft recommendation, following consultation with professionals and civil society. Without being prescriptive, the recommendation acts as a practical guide intended to enlighten the actors using tracers on the concrete methods of obtaining the consent of the Internet user.
This project was submitted, on January 14, to a public consultation, whose contributions made it possible to enrich the version finally adopted on September 17, 2020.
II-Evolution of the applicable rules
The evolution of the applicable rules, clarified by the guidelines and the recommendation, marks a turning point both for the online advertising sector and for Internet users, who will now be able to exercise better control over online tracers.
A- The main principles confirmed by the CNIL
> Regarding user consent:
- the simple pursuit of navigation on a site can no longer be considered as a valid expression of the Internet user's consent;
- people must consent to the deposit of tracers by a clear positive act (such as clicking on "I accept" in a cookie banner). If they do not do so, no tracer that is not essential to the operation of the service can be placed on their device.
> Users should be able to withdraw their consent easily and at any time.
> Refusing tracers should be as easy as accepting them.
In addition to this, you need to know more about it.
> Regarding information to individuals:
- they must be clearly informed of the purposes of the tracers before consenting, as well as the consequences which attach to an acceptance or rejection of tracers;
- they must also be informed of the identity of all actors using tracers subject to consent.
> Organizations operating tracers must be able to provide, at any time, proof of valid collection of the user's free, informed, specific and unambiguous consent.
B-Tracers exempted from the collection of consent
However, certain tracers are exempt from the collection of consent, such as, for example, tracers intended for authentication with a service, those intended to keep in memory the content of a shopping cart on a merchant site, certain tracers intended to generate traffic statistics, or those allowing paid sites to limit free access to a sample of content requested by users.
In addition, the CNIL recommends that the interface for collecting consent not only include an “accept all” button but also a “refuse all” button.
It suggests that websites, which generally retain consent to tracers for a certain period of time, also retain Internet users' refusal for a certain period, so as not to question the Internet user again on each of his visits.
In addition, so that the user is fully aware of the scope of his consent, the CNIL recommends that, when tracers allow monitoring on sites other than the site visited, consent be collected on each of the sites concerned by this monitoring. navigation.
In order to answer questions from stakeholders and Internet users, the CNIL offers an FAQ to support the publication of the guidelines and the recommendation.
III-Towards compliance of the actors concerned
The CNIL invites all the players concerned to ensure that their practices comply with the requirements of the GDPR and the ePrivacy directive.
As it had announced, it estimates that the deadline for compliance with the new rules should not exceed six months, i.e. at the end of March 2021 at the latest.
While the CNIL will take into account the operational difficulties of operators during this period during which it will privilege support on controls, it reserves the right, in accordance with the case law of the Council of State, to prosecute certain breaches, particularly in the event of particularly serious breach of the right to respect for private life (CE, 16 October 2019, n ° 433069, Rec.). In addition, the CNIL will continue to pursue breaches of the rules relating to cookies prior to the entry into force of the GDPR, informed by its recommendation of December 5, 2013.
Virginie Gastine Menou
RISKS AND YOU