CNIL revises cookie guidelines and recommendations

Major changes on the way for cookie banners in France. The French Data Protection Authority CNIL gives website owners a 6 months grace period to comply. Here are the main points and recommendations.
Table of Contents

The Commission Nationale de l’Informatique et des Libertés (CNIL) has revised their cookie guidelines on October 1st, 2020. The guidance now reflects the guidelines of the European Data Protection Board released in May 2020.

Link: European Data Protection Board releases cookie guidelines 

The main differences from the previous guidelines are:

  • Scrolling or swiping is no longer considered consent.
  • Users must actively give consent by click “I accept”.
  • Users must be able to refuse cookies.
  • All user consents must be stored for documentation.

The main cookie requirements by the CNIL

The rules on cookies and consent clarified by the CNIL in these guidelines mark a turning point for both the online advertising sector and the internet users.

Businesses and websites using cookies will have a 6 months grace period (end of March 2021) to meet the new standards for collecting valid consent.

The changes made to the cookie banners will give users better control of their privacy.

CNIL’s cookie and consent revisions:

  • Regarding user consent
    • The mere continuous use (scrolling or swiping) of a web page is no longer considered a valid expression of consent.
    • Users must actively consent to a website’s use of tracking cookies by clicking ”I accept” in a cookie pop-up. If users do not click, no cookies but technically necessary cookies can be set by the website.
  • Regarding withdrawal of consent
    • All banners and cookie policies must offer users an easy way to change or withdraw their consent to cookies and at any time.
  • Refusing cookies
    • Consent is only given by a clear and affirmative action (by clicking a ”I accept” button). But refusing cookies must be as easy as accepting them (with a ”I refuse” button in the banner.
  • Information about cookies and the data they collect
    • Users must be clearly informed about the purpose of each tracking cookie before giving consent.
    • Users must be clearly informed on the identity of the services (third parties) using cookies on the given website.
  • Businesses and organizations who use cookies that require consent must at any time be able to document each user consent and that the consent is freely given, informed, specific and unambiguous.

Recommendations by the CNIL

In addition to the requirements – which are obligatory – the CNIL also recommends French businesses and websites to:

  • Include a “refuse all” or “decline all” button in the cookie pop-up.
  • Store user consents for a certain period (also those who decline cookies) to avoid asking for consent at every visit.
  • Collect valid consent for the use of tracking cookies that monitor user behavior across different sites.

CNIL FAQ on cookies and Consent

Here we answer some of the most frequent questions we get about CNIL’s cookie guidelines.

We have implemented the latest changes.

  • Is it required to allow website users to refuse cookies?
    • Yes! Any website that uses cookies that are not technically necessary, must offer the user a way to refuse cookies. The CNIL now states that a refusal must be as easy as it is to give consent, therefore the “I refuse” button should be place in the cookie pop-up next to the “I accept” button.
  • Is scrolling or swiping considered consent?
    • No! The mere use of a website is not considered consent. The user must actively give consent by clicking a “I accept” button. Moreover, users must also be presented with a “I refuse” button so they can decline the use of cookies.
  • Can’t users just use browser settings to refuse cookie?
    • No! A website cannot just link to browser settings for a refusal of cookies. Users must be presented with a “I refuse” button in the banner itself.
  • Can a user change her mind and withdraw consent to cookies?
    • Yes! A user is free to change a change of mind at any time. The general principal by CNIL is, that it should be as easy to withdraw consent as it was to give in the first place.

Link: CNIL’s FAQ on the new guideline

How to comply with CNIL's revised cookie guidelines

Cookie Information can help your business collect valid consent to cookies and other trackers so you can follow CNIL’s cookie guidelines. Link: What are the rules on cookies? Here’s what you get with Cookie Information’s Consent Solution:

Checklist for collecting
valid consent to cookies