With the new CNIL cookie guidelines, the Commission Nationale de l’informatique et des Libertés (CNIL) determines that websites are not allowed to place cookies to track visitors before the visitor has given their explicit consent.
The new cookie rules thus clearly state; consent must be obtained before cookies are placed.
In article 2 of the guidelines, the CNIL establishes:
..”trackers requiring the collection of consent cannot be used for writing or reading until the user has given their freely given, specific, informed and unequivocal consent to this by a declaration or a clear act”.
This means that whenever a user visits a website, the website must actively prevent cookies from being placed in the user’s browser until a valid consent has been obtained.
Here are two video examples of how-to – and how not to – collect a valid consent.
The new CNIL cookie guidelines explicitly declare how to collect valid consent from your visitors for placing cookies in their browser. As the data controller, you are responsible for all cookies set from your website, also those owned by third parties such as Google, Facebook, Advertising platforms, etc.
We have summarized the requirements for collecting a valid consent in accordance with the new guidelines:
*Remember, asking your users to delete cookies in the browser settings is not a valid option to opt-out of cookies.
Consent must be collected for all cookies except those strictly necessary for the website to work.
This means cookie walls (no access to the website unless the user consents) are not allowed.
The user must be given an option to choose which specific purposes of data processing the user wants to accept. This means the user must be provided with privacy controls to accept or decline different purposes of data processing.
The guidelines state that cookies must be deleted from the user’s browser after a maximum of 13 months. This means that the website must ask for a new consent after 13 months.
Audience measurement or basic analytics such as A/B testing will be exempt from the prior consent rules in certain cases. However, this will not change a great deal as the CNIL has kept the requirement of “prior information”, which will have to be presented to the user in the same way as other purposes, e.g., for marketing. We expect that this exemption will be up for debate as it, as it stands now, will not change anything for the website operators.
Even though strictly necessary cookies are exempt from the rules of prior consent, users have to have the option to decline them. This will require website operation to allow their users to decline cookies altogether, which will lead to some functions not working on the website.