Cookies and other tracking devices: the CNIL publishes new guidelines
As part of its action plan on targeted advertisement, the CNIL has adopted guidelines on cookies and other tracking devices. These guidelines outline the applicable law. In early 2020, they will be supplemented by a recommendation aiming at providing guidance to stakeholders on practical modalities for obtaining consent from the Internet user.
Article 82 of the French law "Informatique et Libertés" transposes the 2002/58/EC "Privacy and Electronic Communications Directive" (or "ePrivacy") into French law, as revised in 2009. In particular it outlines the obligation, except in some situations, to collect the consent of users before any operation consisting in reading or writing data from the terminal of the user can occur. In order to offer practical guidelines, the CNIL adopted in 2013 a recommendation to guide operators in the application of this article.
However, the entry into force of the General Data Protection Regulation (GDPR) on 25th of May 2018 reinforced the requirements for a consent to be valid.
Thus, without waiting for the future ePrivacy regulation, which is currently under discussion at the European level and which is not likely to come into force in the short term, the CNIL has decided to update its reference framework. In particular, it was necessary to repeal the 2013 recommendation, which was not compatible with the new provisions of the GDPR.
The guidelines adopted on 4 July, which aim at summarizing the applicable law, constitutes the foundation of the CNIL's action plan announced on June 28th. They will be followed by a new recommendation, which will specify the practical techniques for obtaining a valid consent. This recommendation will be drafted following a 6 months consultation with professionals and the civil society, which will start in the coming months. It will then be subject to a 6 weeks public consultation after which the final recommendation will be published in the first quarter of 2020.
As the CNIL has indicated, a period of adaptation, ending six months after the publication of the future recommendation, will be given to the stakeholders in order to allow them to implement the new rules.
The main novelties are twofold. On the one hand, the scrolling down or swiping through a website or application can no longer be viewed as a valid expression of consent to the implementation of cookies. On the other hand, stakeholders who operate tracking devices must be able to prove that they have obtained the consent.
For what concerns these new provisions, the timeframe given to operators who were compliant with the 2013 Recommendation is meant to take into account the legal requirement of foreseeability in the event of a change in the applicable rules, resulting in particular from the provisions of the European Convention on Human Rights. This timeframe is primarily intended to ensure compliance with the rules protecting the privacy of users on the basis of a robust and sustainable standard set by the regulator.
This adaptation period will not prevent the CNIL from controlling compliance with the other obligations that have not been modified and, if necessary, adopting corrective measures to protect the privacy of users. In particular, operators must not read or write any data in the terminal of the users before obtaining consent. They must also leave the possibility to users to access the service even in case of refusal to consent, and they must provide the possibility to withdraw consent in an easily accessible and usable manner.