CNIL releases new precise cookie guidelines

The French Data Protection Authority CNIL has released a new set of guidelines which leaves no doubt about how companies are to deal with cookies on their website. Here we guide you to adhere to the new guidelines for processing personal data using cookies.
Table of Contents
With the new CNIL cookie guidelines, the Commission Nationale de l’informatique et des Libertés (CNIL) determines that websites are not allowed to place cookies to track visitors before the visitor has given their explicit consent.
The new cookie rules thus clearly state; consent must be obtained before cookies are placed.
In article 2 of the guidelines, the CNIL establishes:
..”trackers requiring the collection of consent cannot be used for writing or reading until the user has given their freely given, specific, informed and unequivocal consent to this by a declaration or a clear act”.
This means that whenever a user visits a website, the website must actively prevent cookies from being placed in the user’s browser until a valid consent has been obtained.
Here are two video examples of how-to – and how not to – collect a valid consent.

How do you collect valid consent in accordance with the new guidelines?

The new CNIL cookie guidelines explicitly declare how to collect valid consent from your visitors for placing cookies in their browser. As the data controller, you are responsible for all cookies set from your website, also those owned by third parties such as Google, Facebook, Advertising platforms, etc.
We have summarized the requirements for collecting a valid consent in accordance with the new guidelines:

1) Informed consent

You need to inform your users of:

  • Who owns and operates the website (identity of the data controller).
  • The purpose for using cookies on the website (statistics, marketing, etc.).
  • How to withdraw consent.
  • The identity of all companies (e.g., third parties) who have access to information stored in cookies.
*Remember, asking your users to delete cookies in the browser settings is not a valid option to opt-out of cookies.

2) Consent is obligatory

Consent must be collected for all cookies except those strictly necessary for the website to work.

3) Consent must be freely given

The user has to be provided with an option to accept or refuse cookies. Cookies cannot be placed in the user’s browser by implicit consent, i.e., by continuous website use or by lack of ways to decline to track (cookies).
This means cookie walls (no access to the website unless the user consents) are not allowed.

4) Consent must be specific

The user must be given an option to choose which specific purposes of data processing the user wants to accept. This means the user must be provided with privacy controls to accept or decline different purposes of data processing.

5) Consent must be renewed after 13 months

The guidelines state that cookies must be deleted from the user’s browser after a maximum of 13 months. This means that the website must ask for a new consent after 13 months.

6) Audience measurements are exempt from prior consent rules under some circumstances

Audience measurement or basic analytics such as A/B testing will be exempt from the prior consent rules in certain cases. However, this will not change a great deal as the CNIL has kept the requirement of “prior information”, which will have to be presented to the user in the same way as other purposes, e.g., for marketing. We expect that this exemption will be up for debate as it, as it stands now, will not change anything for the website operators.

7) The user must be able to decline cookies altogether, also the strictly necessary ones

Even though strictly necessary cookies are exempt from the rules of prior consent, users have to have the option to decline them. This will require website operation to allow their users to decline cookies altogether, which will lead to some functions not working on the website.