The Commission Nationale de l’Informatique et des LibertĂ©s (CNIL) has revised their cookie guidelines on October 1st, 2020. The guidance now reflects the guidelines of the European Data Protection Board released in May 2020.
Link:Â European Data Protection Board releases cookie guidelinesÂ
The main differences from the previous guidelines are:
- Scrolling or swiping is no longer considered consent.
- Users must actively give consent by click âI acceptâ.
- Users must be able to refuse cookies.
- All user consents must be stored for documentation.
The main cookie requirements by the CNIL
The rules on cookies and consent clarified by the CNIL in these guidelines mark a turning point for both the online advertising sector and the internet users.
Businesses and websites using cookies will have a 6 months grace period (end of March 2021) to meet the new standards for collecting valid consent.
The changes made to the cookie banners will give users better control of their privacy.
CNILâs cookie and consent revisions:
- Regarding user consent
- The mere continuous use (scrolling or swiping) of a web page is no longer considered a valid expression of consent.
- Users must actively consent to a websiteâs use of tracking cookies by clicking âI acceptâ in a cookie pop-up. If users do not click, no cookies but technically necessary cookies can be set by the website.
- Regarding withdrawal of consent
- All banners and cookie policies must offer users an easy way to change or withdraw their consent to cookies and at any time.
- Refusing cookies
- Consent is only given by a clear and affirmative action (by clicking a âI acceptâ button). But refusing cookies must be as easy as accepting them (with a âI refuseâ button in the banner.
- Information about cookies and the data they collect
- Users must be clearly informed about the purpose of each tracking cookie before giving consent.
- Users must be clearly informed on the identity of the services (third parties) using cookies on the given website.
- Businesses and organizations who use cookies that require consent must at any time be able to document each user consent and that the consent is freely given, informed, specific and unambiguous.
Recommendations by the CNIL
In addition to the requirements â which are obligatory â the CNIL also recommends French businesses and websites to:
- Include a ârefuse allâ or âdecline allâ button in the cookie pop-up.
- Store user consents for a certain period (also those who decline cookies) to avoid asking for consent at every visit.
- Collect valid consent for the use of tracking cookies that monitor user behavior across different sites.
CNIL FAQ on cookies and Consent
Here we answer some of the most frequent questions we get about CNILâs cookie guidelines.
We have implemented the latest changes.
- Is it required to allow website users to refuse cookies?
- Yes! Any website that uses cookies that are not technically necessary, must offer the user a way to refuse cookies. The CNIL now states that a refusal must be as easy as it is to give consent, therefore the âI refuseâ button should be place in the cookie pop-up next to the âI acceptâ button.
- Is scrolling or swiping considered consent?
- No! The mere use of a website is not considered consent. The user must actively give consent by clicking a âI acceptâ button. Moreover, users must also be presented with a âI refuseâ button so they can decline the use of cookies.
- Canât users just use browser settings to refuse cookie?
- No! A website cannot just link to browser settings for a refusal of cookies. Users must be presented with a âI refuseâ button in the banner itself.
- Can a user change her mind and withdraw consent to cookies?
- Yes! A user is free to change a change of mind at any time. The general principal by CNIL is, that it should be as easy to withdraw consent as it was to give in the first place.
How to comply with CNIL's revised cookie guidelines
Checklist for collecting
valid consent to cookies
- Block cookies before you get consent
- Offer an easy way for your user to decline cookies
- Inform your users of cookies
- Respect their privacy choices
- Provide an easy way for change or withdraw consent
- Store their consents for 5 years