Overall, the text seems to be a rather constructive contribution to the ongoing efforts of the supervisory authorities and industry to interpret and implement the GDPR. With the publication of these guidelines, the CNIL also announces plans for further “sectoral” guidelines later this year. Given the rather close match between the requirements defined by the CNIL in these guidelines and the features and functions of TCF V2, there seems to be at least some prospect of TCF playing a role in future detailed guidelines for the digital advertising industry.
Some highlights of the new guidelines are listed here:
The Guidelines confirm the view of the CNIL that consent under the ePrivacy Directive should be understood as having the same meaning and the same characteristics as consent under the GDPR (see p. 2).
Article 1 – Scope of application
As regards scope, the guidelines cover all operations aimed at accessing or storing information stored on user terminals. Devices explicitly include tablets, smartphones, PCs and laptops, game consoles, connected TV, connected cars, voice assistants and any other device connected to a public telecommunications network. Cookies are covered, as are locally shared objects/flash cookies, HTML5 local memory, device fingerprints, advertising or operating system IDs, and more. (S. 2).
Article 2 – How to obtain a valid consent
The guidelines tend to reject cookie walls, although they offer at least some flexibility to make access conditional on consent. First, the CNIL considers that consent is only valid if the user is able to refuse or withdraw consent for cookies without any significant advantages or disadvantages (“d’inconvénients majeurs”). Secondly, in support of this position, the Guidelines refer to the 2018 Statement of the European Data Protection Board on the revision of the ePrivacy Directive and its impact on privacy and confidentiality of communications, which states that the consent of users who expect negative consequences from refusing or withdrawing their consent to tracking is invalid (p. 2).
Users must be able to give their consent for any particular data processing purpose independently of other processing purposes. The Guidelines consider that the user’s consent to data processing for several purposes at once (e.g. “accept all”) is acceptable as long as the user has the additional possibility of individual consent for each purpose (see Article 2, p. 2).
Users whose consent to cookies is obtained must be informed:
- The identity of the data controller
- The purposes of data processing and storage
- Information on the existence of the right to withdraw consent
The Guidelines point out that if access and storage [e.g. to place a cookie] are followed by the processing of personal data and the legal basis for such further processing is consent, the full range of disclosure of information required by the GDPR must be provided. Interestingly, the Guidelines do not assume that consent is the only possible legal basis for further processing of personal data, as the ICO has recently done in its own guidance on cookies.
The approval must be signalled by a positive action. Scrolling down does not comply with this standard. However, the guidelines do not seem to exclude a positive action to confirm the preset options.
The Guidelines recall that the GDPR requires that data controllers can prove at any time that they have obtained the consent of the user if the consent is the legal basis. This means that actors using trackers must put in place mechanisms that allow them to prove at any time that they have obtained legal consent. There is no longer any prescriptive or detailed information about what such mechanisms must consist of (p. 3).
Third Party may obtain such consent on behalf of the data controller. In this context, the CNIL considers that mere contractual clauses requiring First Party to obtain valid consent on behalf of Third Party are not sufficient to satisfy the requirement of proof of valid consent (Article 2, page 3). Consent must be as easy to revoke as it is to give and users must be able to do so at any time.
Article 3 – on the roles and responsibilities of the relevant parties
The guidelines provide for different roles and degrees of liability depending on the scenario. A third party can therefore be a controller or a joint controller with the first party or a processor. In the case of joint controllership, data controllers should define their respective obligations in a transparent manner. In the case of a controller-processor relationship, a contract or other legally binding act concluded between the two parties must clarify each party’s obligations (p. 3). The reference to other legally binding acts seems to at least potentially include mechanisms such as the TCF.
Article 4 – user terminal settings, including browser settings
Article 5 – cookies for audience measurement, instructions on cookies storing time
The Guidelines contain fairly binding provisions on retention and access to audience measurement, including the circumstances in which such retention and access should not require consent. These are listed in Article 5.
With regard to the duration of data retention, the CNIL maintains its previous guidelines that cookies should not have a life of more than 13 months before a new consent is obtained. Information collected through cookies and other tracking technologies should not be retained for longer than 25 months.