On January 14, 2020, the French Data Protection Authority (the “CNIL”) published its draft recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”). The CNIL also published a set of questions and answers on the Recommendations (“FAQs”).
The Recommendations were drafted following a consultation with organizations representing industries in the ad-tech ecosystem and civil-society organizations with a view to identifying cookie consent solutions that would be both pragmatic and privacy friendly. The Recommendations are not binding, nor are they intended to be prescriptive and exhaustive. Organizations may use other methods for obtaining users’ consent so long as these methods comply with the Guidelines.
Key takeaways from the Recommendations include:
- Information on the purposes of the cookies: The purposes of the cookies should be briefly listed in a first layer of information. The Recommendations provide examples of that brief description for the following purposes or types of cookies: (1) targeted or personalized advertising; (2) non-personalized advertising; (3) personalized advertising based on precise geolocation; (4) customization of content or products and services provided by the web publisher; (5) social media sharing; and (6) audience measurement/analytics. This shows the level of detail expected by the CNIL when defining the different categories of cookies. Furthermore, the list of purposes referred to in the first layer of information should be supplemented by a more detailed description of those purposes, which should be directly accessible in the first layer, for example, through a drop-down button or a hyperlink.
- Real choice between accepting or refusing cookies: Users must be offered a real choice between accepting or refusing cookies through two checkboxes (not pre-checked) or buttons (“accept” / “refuse,” “allow” / “deny,” etc.) or equivalents such as “on”/ “off” sliders that should be deactivated by default. These checkboxes, buttons or sliders should be of the same format and presented at the same level. Users should have such choice for each type or category of cookies.
- Overall consent covering several sites: It is acceptable to seek users’ consent for a group of sites—rather than individually for each site—if users are informed of the exact scope of their consent (i.e., if they are provided with a list of sites to which their consent applies), and if they have the opportunity to reject all cookies altogether on those sites (e.g., if a “Reject All” button is included, together with the “Accept All” button). More generally, the examples provided in the Recommendations include three buttons: “Personalize my choices” (whereby users may make a more granular choice per purpose or type of cookies), “Reject All,” and “Accept All.”
- Duration of the validity of consent: It is best practice to get users’ renewed consent at regular intervals. As a rule, the CNIL considers that a period of 6 months would be appropriate.
- Demonstrating consent: Data controllers should be able to provide (1) individual evidence of users’ consent, and (2) evidence that their consent mechanism allows the gathering of valid consent.
- Individual evidence of consent: Consent could be recorded by using a cookie to store the user’s choice. In addition, the following information should be recorded: (1) a timestamp to show when the user consented; (2) the context in which consent was gathered (identification of the site or app concerned); (3) the type of consent mechanism used; and (4) the purposes to which the user consented.
- Evidence of the validity of consent: Such evidence may be obtained by keeping a screenshot of the visual aspect of the mechanism on a computer or mobile device for each version of the site or app, or by carrying out regular audits of the consent mechanisms implemented on the sites or apps where consent is sought.
In terms of next steps, the Recommendations are open to public consultation until February 25, 2020. A new version of the Recommendations will then be submitted, for adoption, to the CNIL’s members during a plenary session. The CNIL will carry out inspections to enforce the Guidelines after a period of six months following the adoption of the Recommendations. In addition, the final Recommendations may be updated and completed over time to take into account new technological developments and the responses to the questions raised by professionals and individuals on this topic.