On 18 July the CNIL, France’s Data Protection Authority, released updated cookie guidelines. These guidelines repeal the previous CNIL Cookie Guidelines and re-interpret the Article 5.3 of the e-Privacy Directive from 2013, which imposed an obligation to obtain prior consent before placing or accessing cookies and similar technologies. 

Learn more about the CNIL’s cookie guidelines in our webinar – register today!

Key takeaways from the updated guidance include:

1. Obligation to implement measures to demonstrate proof of compliance with GDPR requirements for consent

Organizations have to be able to demonstrate that they have lawfully collected valid consent from the data subject to use trackers (freely given, specific, informed and unequivocal consent provided by a declaration or a clear positive act). If an organization does not collect consent directly from the data subject, it cannot demonstrate compliance if only relying on a contractual clause binding the other party to obtain valid consent on their behalf.

How OneTrust helps:

Demonstrate Compliance with Granular Records of Consent

OneTrust works with many regulators globally to understand compliance reporting expectations and has extensive capabilities to demonstrate compliance. Granular records of consent and audit trails are available on demand within the OneTrust platform.

Historical Audit Trails

Modifications to settings on the cookie banner or preferences are stored in a detailed audit log to show compliance over time

2. Contrary to ICO guidance which requires valid consent, the CNIL considers audience measurements and analytics trackers exempted from consent requirements under specific conditions

Trackers used to optimize the service provided to the data subjects visiting their websites don’t require the collection of consent, as long as they are not intrusive and respect the following requirements:

  • Must be implemented by the website publisher or subcontractor
  • User must be informed prior to their implementation
  • User must be able to object easily across any devices/browsers
  • Purpose must be limited to:
    • Audience measurement of the visualized content for evaluation of the published contents and the metrics of the site/app
    • Audience segmentation to evaluate effectiveness of editorial choices, without this leading to targeting a single person
    • Global, dynamic modification of the site.
  • Personal data must not be cross-referenced with other processed data, nor transmitted to third parties
  • Strictly limited to the production of anonymous stats on a single publisher site
  • Geotagging based on IP address must not be more accurate than city-level. IP address collected must also be deleted/anonymized once geolocation is done.
  • Trackers cannot last more than 13 months (no auto-extension during new visits). Information collected from trackers cannot be kept for longer than 25 months.

How OneTrust helps:

Adapt Your Consent Approach

OneTrust can support multiple consent models, whether it be opt-out, opt-in, explicit, implied, notice only. Set up different models for each cookie category to meet compliance while maintaining optimal performance using analytics

Allow The User To Easily Update Their Preferences At Any Time

Provide choices at all times with a granular preference centre to easily manage cookie preferences. Enable granular preferences across cookie categories determined within the OneTrust platform.

Related: Cookie Briefing: Recent ICO Guidance and What it Means for You 

3. “Cookie walls” are not compliant under GDPR

Following the European Data Protection Board (EDPB) statement, CNIL considers the practice of blocking access to a website or mobile application for users that do not agree to be tracked by using “cookie walls” does not comply with the GDPR.

4. The CNIL considers that relying on browser settings does not meet valid consent requirements

As opposed to the Article 82 of the GDPR, CNIL considers that browser settings do not allow the user to express valid consent.

For consent to be valid, the following information must be (at minimum) provided to the data subject prior to the collection of consent:

  1. Identity of controller(s)
  2. Purpose of reading/writing operations
  3. Existence of the right to withdraw consent
  4. Exhaustive and up-to-date list of other entities using the cookie data – e.g. if shared amongst several entities.

The information should be complete, clear and prominently displayed; and it cannot only be contained in a general terms and conditions document.

How OneTrust helps:

Provide All Required Information

Include all required information on the cookie banner and in the preference centre to ensure data subjects are fully informed. OneTrust automatically generates a detailed Cookie List based on the latest website scan.

Easily update the information provided from the OneTrust user-friendly interface at any time without the intervention of a technical team, while tracking changes in an audit log.

What does all this mean for you? Register for our webinar XXX

5. Timeline for the practical CNIL recommendations:

The guidelines will serve a base for the consultations with professionals and civil society to define the practical requirements for obtaining valid consent. CMS vendors, including OneTrust, will also participate in these consultations.

Based on these consultations, a new recommendation will be presented at the end of December 2019, which will then be subject to public consultation for six weeks.

It will then be published, and operators will have six months to meet compliance requirements.

  • Until December 2019: Consultation with main stakeholders (content editors, advertisers, service providers in the marketing ecosystem, CMS vendors, civil society)
  • End of December 2019: Presentation of new Recommendation
  • December-January 2020: Six-week public consultation
  • July 2020: Enforcement of requirements outline in the Recommendation

How OneTrust helps:

OneTrust is the most mature and trusted solution for cookie consent used by 100,000 websites worldwide and supported by 50 languages. As cookie consent guidelines evolve and change, OneTrust’s solutions are purpose built to evolve along with the regulations and help website owners achieve and maintain cookie compliance quickly and easily.

Specifically, OneTrust provides a user-friendly solution that allows organizations to collect consent lawfully and demonstrate compliance to all the CNIL requirements.

Learn more about the CNIL’s cookie guidelines in our webinar – register today!