CNIL guidelines on tracking

On 4 July, the French data protection authority CNIL published updated guidelines on the use of cookies and other tracking technologies in application of the ePrivacy Directive and the GDPR. The updated guidelines adopted on 19 July have been published in the French Official Journal and can be consulted here (only available in French so far). The Guidelines replace previous CNIL Guidelines on the same subject of 5 December 2013.
Overall, the text seems to be a rather constructive contribution to the ongoing efforts of the supervisory authorities and industry to interpret and implement the GDPR. With the publication of these guidelines, the CNIL also announces plans for further “sectoral” guidelines later this year. Given the rather close match between the requirements defined by the CNIL in these guidelines and the features and functions of TCF V2, there seems to be at least some prospect of TCF playing a role in future detailed guidelines for the digital advertising industry.
Some highlights of the new guidelines are listed here:

General information

The Guidelines confirm the view of the CNIL that consent under the ePrivacy Directive should be understood as having the same meaning and the same characteristics as consent under the GDPR (see p. 2).

Article 1 – Scope of application

As regards scope, the guidelines cover all operations aimed at accessing or storing information stored on user terminals.  Devices explicitly include tablets, smartphones, PCs and laptops, game consoles, connected TV, connected cars, voice assistants and any other device connected to a public telecommunications network.  Cookies are covered, as are locally shared objects/flash cookies, HTML5 local memory, device fingerprints, advertising or operating system IDs, and more. (S. 2).

Article 2 – How to obtain a valid consent

The guidelines tend to reject cookie walls, although they offer at least some flexibility to make access conditional on consent. First, the CNIL considers that consent is only valid if the user is able to refuse or withdraw consent for cookies without any significant advantages or disadvantages (“d’inconvénients majeurs”). Secondly, in support of this position, the Guidelines refer to the 2018 Statement of the European Data Protection Board on the revision of the ePrivacy Directive and its impact on privacy and confidentiality of communications, which states that the consent of users who expect negative consequences from refusing or withdrawing their consent to tracking is invalid (p. 2).

Users must be able to give their consent for any particular data processing purpose independently of other processing purposes.  The Guidelines consider that the user’s consent to data processing for several purposes at once (e.g. “accept all”) is acceptable as long as the user has the additional possibility of individual consent for each purpose (see Article 2, p. 2).

Users whose consent to cookies is obtained must be informed:

  • The identity of the data controller
  • The purposes of data processing and storage
  • Information on the existence of the right to withdraw consent

The Guidelines point out that if access and storage [e.g. to place a cookie] are followed by the processing of personal data and the legal basis for such further processing is consent, the full range of disclosure of information required by the GDPR must be provided.  Interestingly, the Guidelines do not assume that consent is the only possible legal basis for further processing of personal data, as the ICO has recently done in its own guidance on cookies.

For the consent to be valid, the user must be provided with an updated, complete list of all companies that use cookies or other trackers before they can consent. There are no longer proper guidelines for formatting such information publications.

The approval must be signalled by a positive action. Scrolling down does not comply with this standard. However, the guidelines do not seem to exclude a positive action to confirm the preset options.

The Guidelines recall that the GDPR requires that data controllers can prove at any time that they have obtained the consent of the user if the consent is the legal basis.  This means that actors using trackers must put in place mechanisms that allow them to prove at any time that they have obtained legal consent.  There is no longer any prescriptive or detailed information about what such mechanisms must consist of (p. 3).

Third Party may obtain such consent on behalf of the data controller. In this context, the CNIL considers that mere contractual clauses requiring First Party to obtain valid consent on behalf of Third Party are not sufficient to satisfy the requirement of proof of valid consent (Article 2, page 3). Consent must be as easy to revoke as it is to give and users must be able to do so at any time.

Article 3 – on the roles and responsibilities of the relevant parties

The guidelines provide for different roles and degrees of liability depending on the scenario. A third party can therefore be a controller or a joint controller with the first party or a processor. In the case of joint controllership, data controllers should define their respective obligations in a transparent manner. In the case of a controller-processor relationship, a contract or other legally binding act concluded between the two parties must clarify each party’s obligations (p. 3).  The reference to other legally binding acts seems to at least potentially include mechanisms such as the TCF.

Article 4 – user terminal settings, including browser settings

The guidelines consider that, according to the current state of technology, the consent expressed via the browser settings does not correspond to the GDPR standard of the informed and specific consent and cannot take into account any scenarios beyond the use of cookies such as fingerprints. They do, however, evoke the possibility of further developing the browser features and functions that ultimately address these problems, including through the integration of mechanisms to enable GDPR-compliant consent collection. Here, too, there seems to be a possibility or at least an implicit reference to TCF.

Article 5 – cookies for audience measurement, instructions on cookies storing time

The Guidelines contain fairly binding provisions on retention and access to audience measurement, including the circumstances in which such retention and access should not require consent.  These are listed in Article 5.

With regard to the duration of data retention, the CNIL maintains its previous guidelines that cookies should not have a life of more than 13 months before a new consent is obtained. Information collected through cookies and other tracking technologies should not be retained for longer than 25 months.