Key takeaways from the Guidelines include:
- Scope: The Guidelines apply to any technology that stores or accesses information on any user device connected to a telecommunications network open to the public, such as tablets, smartphones, laptops/computers, game consoles, and connected vehicles. This includes the use of HTTP cookies and similar technologies (e.g., HTML5 local storage, Local Shared Objects, fingerprinting techniques, identifiers generated by operating systems (IDFA, IDFV, Android ID, etc.) and device identifiers (MAC address, serial number or any other device ID)).
- Requirements for valid consent: The Guidelines reiterate that consent must be freely given, specific, informed and unambiguous, and must result from a clear affirmative action of the user.
- Freely given: “Cookie walls” that prevent users who do not consent from accessing a site or mobile app are unlawful.
- Specific: Users must be able to consent to each purpose or type of cookies. If it is acceptable to seek users’ overall consent (e.g., by an “accept all” button), users also must have the possibility to give granular consent for each purpose.
- Unambiguous/clear affirmative action: Merely continuing to browse a site or mobile app or scroll down the page of a site or mobile app can no longer be considered valid consent.
- Demonstrating consent: Businesses using cookies and similar technologies must implement mechanisms that allow them to demonstrate – at any time – that valid consent was obtained. If they do not obtain consent themselves, relying on a contract term requiring one operator to obtain valid consent on behalf of the other is insufficient to show valid consent was obtained.
- Use of browser settings: Browser settings continue to be inadequate grounds for claiming valid consent.
- Exemption for analytics cookies: Analytics cookies may be exempt from the consent requirement, subject to strict conditions.
- Sanctions: The CNIL may impose any corrective measures and sanctions on businesses subject to French law independent of the application of the GDPR cooperation and consistency mechanism, as the cookies rules result from the implementation of EU ePrivacy Directive in national law.
In terms of next steps, the Guidelines will be followed by sectoral recommendations on the practical modalities to obtain users’ consent. Once published, the recommendations will be open to public consultation. The final version of the recommendations is expected to be released in the first quarter of 2020. The CNIL will then allow for a transition period of six months to comply with the Guidelines and new recommendations.