CNIL releases new precise cookie guidelines

The French Data Protection Authority CNIL has released a new set of guidelines which leaves no doubt about how companies are to deal with cookies on their website. Here we guide you to adhere to the new guidelines for processing personal data using cookies.

With the new CNIL cookie guidelines, the Commission Nationale de l’informatique et des Libertés (CNIL) determines that websites are not allowed to place cookies to track visitors before the visitor has given their explicit consent.

The new cookie rules thus clearly state; consent must be obtained before cookies are placed.

In article 2 of the guidelines the CNIL establishes:

..”trackers requiring the collection of consent cannot be used for writing or reading until the user has given their freely given, specific, informed and unequivocal consent to this by a declaration or a clear act”.

Link: Cookies and other tracking devices: the CNIL publishes new guidelines

This means that whenever a user visits a website, the website must actively prevent cookies from being placed in the user’s browser until a valid consent has been obtained.

Here are two video examples of how to – and how not to – collect a valid consent.

The new CNIL cookie guidelines explicitly declare how to collect a valid consent from your visitors for placing cookies in their browser. As the data controller, you are responsible for all cookies set from your website, also those owned by third parties such as Google, Facebook, Advertising platforms etc.

We have summarized the requirements for collecting a valid consent in accordance to the new guidelines:

1)    Informed consent

You need to inform your users of:

  • Who owns and operates the website (identity of the data controller).
  • The purpose for using cookies on the website (statistics, marketing etc.).
  • How to withdraw consent.
  • The identity of all companies (e.g. third-parties) who have access to information stored in cookies.

*Remember, asking your users to delete cookies in the browser settings is not a valid option to opt out of cookies.

2)    Consent is obligatory

Consent must be collected for all cookies except those strictly necessary for the website to work.

3)    Consent must be freely given

The user has to be provided with a choice: an option to accept or refuse cookies. Cookies cannot be placed in the user’s browser by implicit consent i.e. by a continuous use of the website or by lack of ways to decline tracking (cookies).

This means, cookie walls (no access to the website unless the user consents) are not allowed.

4)    Consent must be specific

The user must be given an option to choose which specific purposes of data processing he or she wants to accept. This means, the user must be provided with privacy controls to accept or decline different purposes of data processing.

5)    Consent must be renewed after 13 months

The guidelines state that cookies must be deleted from the user’s browser after a maximum of 13 months. This means that the website must ask for a new consent after 13 months.

6)    Audience measurement are exempt from prior consent rules under some circumstances

Audience measurement, or basic analytics such A/B testing will be exempt from the prior consent rules in certain cases. However, this will not change a great deal as the CNIL has kept the requirement of “prior information”, which will have to be presented to the user in the same way as other purposes e.g. for marketing. We expect that this exemption will be up for debate as it, as it stands now, will not change anything for the website operators.

7)    The user must be able to decline cookies all together, also the strictly necessary ones

Even though strictly necessary cookies are exempt from the rules of prior consent, users have to have the option to decline them. This will require website operation to allow their users to decline cookies all together, which will lead to some functions not working on the website.


Share on facebook
Share on twitter
Share on linkedin
Share on email

- Webinars - Webinars - Webinars - Webinars

- Webinars - Webinars - Webinars - Webinars

Where to start with cookies?

Join our webinars about compliance in the Nordics