The Commission Nationale de l’Informatique et des Libertés (CNIL) has revised their cookie guidelines on October 1st, 2020. The guidance now reflects the guidelines of the European Data Protection Board released in May 2020.
The main differences from the previous guidelines are:
- Scrolling or swiping is no longer considered consent.
- Users must actively give consent by click “I accept”.
- All user consents must be stored for documentation.
The main cookie requirements by the CNIL
The rules on cookies and consent clarified by the CNIL in these guidelines mark a turning point for both the online advertising sector and the internet users.
Businesses and websites using cookies will have a 6 months grace period (end of March 2021) to meet the new standards for collecting valid consent.
The changes made to the cookie banners will give users better control of their privacy.
CNIL’s cookie and consent revisions:
- Regarding user consent
- The mere continuous use (scrolling or swiping) of a web page is no longer considered a valid expression of consent.
- Users must actively consent to a website’s use of tracking cookies by clicking ”I accept” in a cookie pop-up. If users do not click, no cookies but technically necessary cookies can be set by the website.
- Regarding withdrawal of consent
- All banners and cookie policies must offer users an easy way to change or withdraw their consent to cookies and at any time.
- Refusing cookies
- Consent is only given by a clear and affirmative action (by clicking a ”I accept” button). But refusing cookies must be as easy as accepting them (with a ”I refuse” button in the banner.
- Information about cookies and the data they collect
- Users must be clearly informed about the purpose of each tracking cookie before giving consent.
- Users must be clearly informed on the identity of the services (third parties) using cookies on the given website.
Recommendations by the CNIL
In addition to the requirements – which are obligatory – the CNIL also recommends French businesses and websites to:
- Include a “refuse all” or “decline all” button in the cookie pop-up.
- Store user consents for a certain period (also those who decline cookies) to avoid asking for consent at every visit.
- Collect valid consent for the use of tracking cookies that monitor user behavior across different sites.
CNIL FAQ on cookies and Consent
Here we answer some of the most frequent questions we get about CNIL’s cookie guidelines.
We have implemented the latest changes.
- Is scrolling or swiping considered consent?
- Can’t users just use browser settings to refuse cookie?
- No! A website cannot just link to browser settings for a refusal of cookies. Users must be presented with a “I refuse” button in the banner itself.
- Can a user change her mind and withdraw consent to cookies?
- Yes! A user is free to change a change of mind at any time. The general principal by CNIL is, that it should be as easy to withdraw consent as it was to give in the first place.