The CNIL’s Guidance indicates that this obligation applies to website publishers, operating system and application publishers, advertising networks, social networks and website analytics solutions providers.
The CNIL’s Guidance also states that only certain cookies are exempt from the consent requirement under French data protection law, namely cookies whose sole purpose is to enable or facilitate electronic communications or that are strictly necessary for the provision of an online communication service as expressly requested by the user. According to the CNIL’s Guidance, this includes:
- cookies used for a “shopping basket” on a merchant’s website;
- “Session ID” cookies for the duration of the session (or persistent cookies limited to a few hours in some cases);
- authentication cookies;
- multimedia player session cookies;
- load balancing session cookies; and
- persistent user interface customization cookies.
Some web analytics solutions also may qualify for an exemption from the consent requirement.
In all other cases, the CNIL’s Guidance emphasizes that:
- web users’ consent must be obtained before placing or reading cookies and similar technologies (such as web bugs and fingerprinting technologies), and such consent must be obtained each time these technologies are used for a new purpose;
- the validity of the consent is linked to the quality of the information provided to web users – in particular, web users must be clearly informed of the different purposes for which the cookies and similar technologies will be used; and
- web users’ consent is valid only if the users have a real choice between accepting or refusing cookies and similar technologies.
In practice, the CNIL recommends obtaining consent using a two-pronged approach, as described below.
Step 1: Provide Information to the Web User About the Cookies and Their Purposes
According to the CNIL’s Guidance, a banner must appear on the home page or on a subpage of the website when a user visits it. The banner must specify:
- the exact purposes of the cookies used on the website; and
Step 2: The “More Information” Page
- a cookie consent mechanism directly available on the website or application;
- a link to opt-out solutions offered by advertising networks, social networks and website analytics solutions providers, (assuming that these solutions are user-friendly and functional); or
The CNIL’s Guidance recommends that a user’s cookie consent may be considered valid for up to 13 months. After this period, the website must get renewed consent from the user. The CNIL’s Guidance states that cookies should be programmed to expire 13 months after they are placed on a user’s device.