The transposition in French law of the directives called "Telecom Package" notably reinforces the obligation to inform web users regarding cookies. The law now imposes to website publishers, in certain cases, to inform web users and to collect their consent before installing cookies. How to comply? What cookies are concerned? The CNIL takes a look at these new obligations.
The “Telecoms Package” is the name that is given to two directives and one regulation regarding electronic communications that were adopted by the European Parliament and the Council on November 25, 2009.
One of these texts directly impacts data protection since the directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (2002/58/EC) has been amended (directive 2009/136/EC).
The French government has transposed the directive in a legislative order published on August 24, 2011 (called the “Telecoms Package ordinance”), which notably modifies article 32 II of the French data protection act of January 6, 1978.
A tentative translation in English of the new article 32 II of the French data protection act of January 6, 1978 follows:
“Unless relevant information has already been provided to him, any subscriber or user of an electronic communication service must be informed in a clear and comprehensive manner by the data-controller or his representative of:
This access or storage can only take place if the subscriber or user has expressed his agreement, after being provided with this information; such agreement may result from appropriate settings of his connection device or any other device placed under his control.
These provisions do not apply if access to information stored in the terminal equipment of the user or the storage of information in the terminal equipment of the user:
Websites needed to inform web users that a cookie was installed on their computer and allow them to oppose it.
In practice, the information was general and was most frequently found buried in the general Terms of Service (ToS).
Information must be provided before the cookie is stored, and the web user’s consent must be gathered.
Warning: The right to oppose at any time to the use of a cookie that has already been installed remains, as well as the obligation to specify what the cookie is used for.
Actually, it’s about “information stored in the terminal equipment” that is inserted by a website in the user’s terminal. Inserting a cookie is similar to putting a “label” on the terminal of the web users. If this “label” contains a unique identifier, the website will be able to use this identifier to distinguish a web user from another, and therefore to recognize him when he visits his site again.
For example, in online behavioral advertising, a digital identifier contained in a cookie allows to label and therefore to “track” a web user in order to build a profile based on the pages he visited on the web. This profile enables proposing targeted advertising to the user.
These measures are also applicable to technologies that are related to cookies such as “flash” cookies (also called “Local Shared Objects”) or local web storage (also called “DOM storage”). The word “cookie” must thus be broadly interpreted.
No. These rules do not apply to a cookie that:
As such, for example, these rules of information and prior consent do not apply to the following cookies:
Yes. Directive 2002/58/EC applies to all types of information stored in the cookie. It specifies that the “terminal equipment of users […] and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms.”.
The Article 29 working party (WP29) has further noted that “the protection of an area deemed to be the private sphere of the data subject is what triggers the obligations contained in Article 5(3), not the fact that the information is, or is not, personal data.”
It is the controller of a processing that implements cookies who has the responsibility of informing web users. However, this information may be implemented by a third party designated by the data controller.
In the case where a cookie is inserted by a third party (for example: a targeted ad placed by an external ad network), information and consent do not need to be implemented twice. Hence, if the ad network already provided information and received consent from the web user, the website that displays the ad does not need to repeat this operation.
In the event that the data controller is established outside of the European Union, he may delegate the implementation of the French data protection requirements to a representative established in France. This representative may also be in charge of providing information to web users.
The use (in French) of the word “agreement” in the directive as well as in the legislative order results from an imprecise translation of the original directive in English, which uses the word “consent”.
The word “agreement” thus clearly refers to consent as defined in article 2(h) of Directive 95/46/EC, that is to say to “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
In this context, the user’s consent must be:
The validity of consent is linked to the quality of the provided information. It must be written in simple terms that are comprehensible to the general public, while being precise. For example, if the cookie has for purpose to “create user profiles in order to present targeted advertising”, the information should reuse all these terms and should not be limited to the indication “advertisement”.
In order to have a free and specific form of agreement expressed through browser settings, the user must be able to choose what cookies he accepts and for what purpose. A browser that would by default accept all cookies without distinguishing their purpose would not be considered as providing valid consent since it would not be specific.
Settings on most browsers (such as Firefox, internet explorer, safari or chrome) can be modified in such a way that the user’s agreement will be asked for every cookie. However, this solution raises some practical problems and user-interface issues for the following reasons:
Since current browsers alone do not offer settings that address the requirements of the law, the Legislator has foreseen other possibilities by specifying that the user’s consent may also be expressed by “any other device placed under his control”. This could be, for example, a browser plug-in or a web consent management platform.
First, the person must be informed of the purpose of the cookie (e.g. advertisement), and then he must be asked if he accepts the storage of a cookie on his computer, while being notified that he will be able to later withdraw his consent.
This mechanism to ask for the user’s consent may take several forms, such as for example:
These examples are by no means limitative.
Warning: Traditional browser “pop-up” windows are not recommended because they are often blocked by browsers.
Browser vendors are currently developing new mechanisms to allow web users to express their preferences regarding privacy. We can for example mention the “do-not-track” mechanism currently being developed by the Mozilla foundation (the editor of Firefox), which could soon be standardized by the World Wide Web consortium (W3C). This mechanism does not directly address cookies but it could be adapted or modified to respond to the requirements of the law, provided it is activated by default on browsers (to indicate that the user does not want to be tracked) and if it allows users to set their preferences easily.
The online advertising industry has developed centralized platforms that allow users to express their preferences regarding cookies used by ad networks. These platforms target compliance with the previous legislation but have not yet evolved to comply with the principle of consent established by the new legislation. It would be technically not very complex to modify these platforms to make them compatible with the new legislation. The user could then access a centralized platform that would enable him to express, on a case by case basis, his agreement to receive cookies that reflect his personal choices.
No, if the user has already given his agreement (or expressed his objection) for a cookie, it is not necessary to request again his consent during his next visits. This principle is also valid for “third party” cookies. Hence, for example, if a web user accepts to receive third party cookies from a specific ad network for the purpose of behavioral advertising, this consent will be valid for all websites that display ads from the same ad network.
Yes. This solution is absolutely conceivable: if the user refuses a cookie, it is useful to memorize this refusal in order not to needlessly seek again his consent.
Since the user’s consent is specific for a determined purpose, the user can simultaneously:
In practice, the website should be able to offer multiple choices to the user:
No. A unique document such as the ToS does not enable to collect a valid form of consent for each type of cookie. Additionally, a web user may wish accept the ToS and yet refuse the clause indicating that he accepts cookies for behavioral adverting.
Yes. Your liability is engaged as soon as your website allows third parties to insert cookies on the terminal of your web users. This is for example the case if you have an ad network as a partner.
In the case of subcontracting, it is necessary to explicitly set forth correctly each one’s obligations in a written document that is accepted by both parties.
All violations of the « data protection act » are punishable by financial sanctions that may reach € 300 000. The Commission is aware that compliance will take longer to implement for some websites than others. In case of a complaint or an inspection, the Commission will take into account the efforts that the data controller has already put in place in order to reach compliance.