"To protect personal data, support innovation, preserve individual liberties"


What the Telecoms Package changes for cookies

20 December 2011

The transposition in French law of the directives called "Telecom Package" notably reinforces the obligation to inform web users regarding cookies. The law now imposes to website publishers, in certain cases, to inform web users and to collect their consent before installing cookies. How to comply? What cookies are concerned? The CNIL takes a look at these new obligations.

What is the Telecoms Package?

The “Telecoms Package” is the name that is given to two directives and one regulation regarding electronic communications that were adopted by the European Parliament and the Council on November 25, 2009.

One of these texts directly impacts data protection since the directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (2002/58/EC) has been amended (directive 2009/136/EC).

The French government has transposed the directive in a legislative order published on August 24, 2011 (called the “Telecoms Package ordinance”), which notably modifies article 32 II of the French data protection act of January 6, 1978.

What is written in the law?

A tentative translation in English of the new article 32 II of the French data protection act of January 6, 1978 follows:

“Unless relevant information has already been provided to him, any subscriber or user of an electronic communication service must be informed in a clear and comprehensive manner by the data-controller or his representative of:

  • The purpose of any action to gain access, by electronic transmission, to information already stored in his electronic communications terminal equipment, or to place information in the equipment;
  • The means at his disposal to oppose it.

This access or storage can only take place if the subscriber or user has expressed his agreement, after being provided with this information; such agreement may result from appropriate settings of his connection device or any other device placed under his control.

These provisions do not apply if access to information stored in the terminal equipment of the user or the storage of information in the terminal equipment of the user:

  • has the sole purpose of enabling or facilitating electronic communication;
  • or is strictly necessary for the provision of an online communication service at the express request of the user.”

What did previous legislation say?

Websites needed to inform web users that a cookie was installed on their computer and allow them to oppose it.

In practice, the information was general and was most frequently found buried in the general Terms of Service (ToS).

What changes with the Telecoms Package?

Information must be provided before the cookie is stored, and the web user’s consent must be gathered.

Warning: The right to oppose at any time to the use of a cookie that has already been installed remains, as well as the obligation to specify what the cookie is used for.

What do we mean when we talk about “cookies”?

Actually, it’s about “information stored in the terminal equipment” that is inserted by a website in the user’s terminal. Inserting a cookie is similar to putting a “label” on the terminal of the web users. If this “label” contains a unique identifier, the website will be able to use this identifier to distinguish a web user from another, and therefore to recognize him when he visits his site again.

For example, in online behavioral advertising, a digital identifier contained in a cookie allows to label and therefore to “track” a web user in order to build a profile based on the pages he visited on the web. This profile enables proposing targeted advertising to the user.

These measures are also applicable to technologies that are related to cookies such as “flash” cookies (also called “Local Shared Objects”) or local web storage (also called “DOM storage”). The word “cookie” must thus be broadly interpreted.

Are all cookies concerned?

No. These rules do not apply to a cookie that:

  • “has the sole purpose of enabling or facilitating electronic communication;
  • or is strictly necessary for the provision of an online communication service at the express request of the user.”

As such, for example, these rules of information and prior consent do not apply to the following cookies:

  • cookies used as a “shopping basket” on a merchant’s website;
  • user session cookies (SessionID) that allow tying together the actions of a user when this is necessary to provide the service he requested;
  • cookies that allow to record the user’s spoken language (for websites that are translated in several languages) or other preferences that are necessary to provide the requested service;
  • flash cookies containing elements that are strictly necessary to make a media player work (audio or video) for a content that has been requested by the user.

If prior information is not necessary for this type of cookie, it is nevertheless recommended to provide information about their use in the privacy policy of the website.

Are cookies that do not contain personal data also subject to the new legislation?

Yes. Directive 2002/58/EC applies to all types of information stored in the cookie. It specifies that the “terminal equipment of users […] and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms.”.

The Article 29 working party (WP29) has further noted that “the protection of an area deemed to be the private sphere of the data subject is what triggers the obligations contained in Article 5(3), not the fact that the information is, or is not, personal data.”

How to achieve compliance?

Who must inform web users?

It is the controller of a processing that implements cookies who has the responsibility of informing web users. However, this information may be implemented by a third party designated by the data controller.

In the case where a cookie is inserted by a third party (for example: a targeted ad placed by an external ad network), information and consent do not need to be implemented twice. Hence, if the ad network already provided information and received consent from the web user, the website that displays the ad does not need to repeat this operation.

In the event that the data controller is established outside of the European Union, he may delegate the implementation of the French data protection requirements to a representative established in France. This representative may also be in charge of providing information to web users.

What is an “agreement” or “consent”?

The use (in French) of the word “agreement” in the directive as well as in the legislative order results from an imprecise translation of the original directive in English, which uses the word “consent”.
The word “agreement” thus clearly refers to consent as defined in article 2(h) of Directive 95/46/EC, that is to say to “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

In this context, the user’s consent must be:

  • Freely given: it must result from the free choice of the user.
  • Specific: it must refer to a specific cookie associated to a specific purpose.
  • Informed: the information must be delivered prior to processing and must specify how to later oppose the use of this cookie.

The validity of consent is linked to the quality of the provided information. It must be written in simple terms that are comprehensible to the general public, while being precise.  For example, if the cookie has for purpose to “create user profiles in order to present targeted advertising”, the information should reuse all these terms and should not be limited to the indication “advertisement”.

Are browser settings a valid form of consent?

In order to have a free and specific form of agreement expressed through browser settings, the user must be able to choose what cookies he accepts and for what purpose. A browser that would by default accept all cookies without distinguishing their purpose would not be considered as providing valid consent since it would not be specific.

Settings on most browsers (such as Firefox, internet explorer, safari or chrome) can be modified in such a way that the user’s agreement will be asked for every cookie. However, this solution raises some practical problems and user-interface issues for the following reasons:

  • alone, this solution is insufficient because it does not provide the user with “clear and comprehensive” information along with the consent request;
  • today, a website that would want to rely this mechanism has no means to verify that the user’s browser settings are effectively enabled correctly;
  • these settings would be applied to all cookies, even those that are exempted from prior consent, because the browser has no way to make such a distinction;
  • these settings are complex to enable for the user, and vary significantly from one browser to another.

Since current browsers alone do not offer settings that address the requirements of the law, the Legislator has foreseen other possibilities by specifying that the user’s consent may also be expressed by “any other device placed under his control”. This could be, for example, a browser plug-in or a web consent management platform.

What are valid ways to request consent?

First, the person must be informed of the purpose of the cookie (e.g. advertisement), and then he must be asked if he accepts the storage of a cookie on his computer, while being notified that he will be able to later withdraw his consent.

This mechanism to ask for the user’s consent may take several forms, such as for example:

  • a banner at the top of a webpage (such as implemented on the website of the UK data protection commissioner: www.ico.gov.uk as well as the CNIL : www.cnil.fr);
  • a consent request zone constructed as an html overlay on the page;
  • a set of tick boxes presented during subscription to a online service.

These examples are by no means limitative.

Warning: Traditional browser “pop-up” windows are not recommended because they are often blocked by browsers.

In the future, what are the foreseeable technical developments that could help address the requirements of the law?

Browser vendors are currently developing new mechanisms to allow web users to express their preferences regarding privacy. We can for example mention the “do-not-track” mechanism currently being developed by the Mozilla foundation (the editor of Firefox), which could soon be standardized by the World Wide Web consortium (W3C). This mechanism does not directly address cookies but it could be adapted or modified to respond to the requirements of the law, provided it is activated by default on browsers (to indicate that the user does not want to be tracked) and if it allows users to set their preferences easily.

The online advertising industry has developed centralized platforms that allow users to express their preferences regarding cookies used by ad networks. These platforms target compliance with the previous legislation but have not yet evolved to comply with the principle of consent established by the new legislation. It would be technically not very complex to modify these platforms to make them compatible with the new legislation. The user could then access a centralized platform that would enable him to express, on a case by case basis, his agreement to receive cookies that reflect his personal choices.

Do we need to request consent from user each time they visit a webpage?

No, if the user has already given his agreement (or expressed his objection) for a cookie, it is not necessary to request again his consent during his next visits. This principle is also valid for “third party” cookies. Hence, for example, if a web user accepts to receive third party cookies from a specific ad network for the purpose of behavioral advertising, this consent will be valid for all websites that display ads from the same ad network.

Can a cookie be used to memorize the refusal of a user to receive cookies?

 Yes. This solution is absolutely conceivable: if the user refuses a cookie, it is useful to memorize this refusal in order not to needlessly seek again his consent.

Since the user’s consent is specific for a determined purpose, the user can simultaneously:

  • refuse to give his consent to receive a cookie that would, for example, record the last articles he browsed on a merchant’s website;
  • [and yet] accept to give his consent to receive a cookie that will mark his refusal to receive the previously described cookie.

In practice, the website should be able to offer multiple choices to the user:

  • Accept the aforementioned cookie;
  • Refuse the cookie and be asked again next time;
  • Refuse the cookie and memorize this refusal with the installation of a “refusal cookie”.

Do modifications in the Terms of Service (ToS) constitute an acceptable way to collect consent?

No.  A unique document such as the ToS does not enable to collect a valid form of consent for each type of cookie. Additionally, a web user may wish accept the ToS and yet refuse the clause indicating that he accepts cookies for behavioral adverting.

Am I liable if cookies are inserted by a third party on my website?

Yes. Your liability is engaged as soon as your website allows third parties to insert cookies on the terminal of your web users. This is for example the case if you have an ad network as a partner.

In the case of subcontracting, it is necessary to explicitly set forth correctly each one’s obligations in a written document that is accepted by both parties.

What are the risks if I do not comply with the new law?

All violations of the « data protection act » are punishable by financial sanctions that may reach € 300 000. The Commission is aware that compliance will take longer to implement for some websites than others. In case of a complaint or an inspection, the Commission will take into account the efforts that the data controller has already put in place in order to reach compliance.

Chargement en cours...