The French Data Protection Authority (the CNIL) published an updated version of their cookie guidelines in the fall of 2020. The document covered recommendations for obtaining user consent to store or read non-essential cookies and similar technologies on their devices.
A FAQ document further clarifying their earlier guidelines appeared in March of 2021. The document coincided with enforcement of the new guidelines, that began on April 1. Below is more information on how CNIL guidelines could impact your business.
The CNIL As a Regulatory Body
The CNIL is a French regulatory body focused on data protection for its residents. The agency remains focused on ensuring that its data privacy law safeguards the collection, storage, and use of residents’ personal data.
Part of the agency’s role is to educate citizens of their rights under the data protection act. They also respond to individual inquiries made by both companies and individuals. The updated rules apply to the processing of cookies of any business or organization in France, regardless of where the actual processing occurred.
Enforcement began on a set of amended guidelines in April of 2021.
Key Aspects of Cookie Regulation Through the CNIL Guidelines
The CNIL guidelines contain provisions that both residents and businesses should pay close attention to. Below are a few.
The Ability to Withdraw Consent – It must be easy for users to withdraw their consent to the use of cookies or tracking devices at any time. There must be an easily findable web page where users can easily modify their choices.
Defined Consent Exceptions – Technically, the guidelines say that users’ consent is required for any category or cookie purpose. But there are some cookies that are recognized as necessary, and those cookies are allowed regardless of consent. Here is a list of what is allowed:
- Cookies or trackers that store users’ consent choices.
- Cookies or trackers are designed to monitor authentication of service for security purposes, such as limiting login attempts.
- Cookies or trackers that store the shopping cart information or invoicing for products or services.
- Cookies or trackers that are used to customize website settings such as language or website presentation.
- Cookies or trackers that allow for load balancing within communication service.
- Cookies or trackers that restrict paid website access to non-paying customers.
The Use of Cookie Walls and Common Consent Methods – The CNIL doesn’t prohibit the use of cookie walls, but they may evaluate each on an individual basis. A granular-level consent must be obtained, making a generic form for all cookies from your website unacceptable.
What Businesses and Organizations Need to Do to Follow CNIL Guidelines:
- All required information needs to be included on the Cookie Banner and in the cookie preference center so that website users remain fully informed of all cookie use. The banner might use options such as “Accept all,” “Refuse all,” or “Personalize my choices.” This gives users the ability to exercise more control in the process.
- Valid consent from all users must be obtained before trackers can be used. The consent must be freely given and unequivocal.
- The approach must be adapted to each specific cookie category.
- The intake and fulfillment of data subject requests must be automated.
- Avoid using any pre-loaded cookies that aren’t strictly necessary until a user clicks the accept button.
- Avoid using any cookies that have been explicitly rejected by the user.
- Only use analytics cookies that collect anonymous statistical data until the user consents to the use of anything more specific.
- Users must be able to recall and revoke any previous consents easily.
- A consent log must be kept to quickly and easily provide proof of consent to any user who requests it.
Organizations Must Obtain Informed Consent
Any website using cookies or trackers must obtain the informed consent of users. This means that the user must be reasonably informed on the type and purpose of any cookie used. The identity of the data controllers, processors, and third parties should also remain readily visible for the user to make this informed decision.
The information disclosed under these circumstances must be in clear language with no industry jargon that would make it difficult for the user to understand what they are consenting to. Below are some more of the information that must be readily available to the end-user:
- Identity of website owner/organization/administrator and any relevant third parties.
- The purpose of each cookie or tracker.
- Instructions on how to accept or reject each cookie or tracker.
- What happens when a cookie is either accepted or rejected.
- The right to withdraw consent.
The consent of the user must be obtained in a clear and distinct manner through some form of positive action. This means that websites are not allowed to use any form of pre-clicked checkboxes. Any sort of implied consent is considered invalid.
Once this form of consent is given by the user, it’s up to the business or organization to maintain that consent and be responsible for proof of consent at any given time.
Individual Rights Under the CNIL Guidelines
The CNIL guidelines were established to protect the online privacy rights of French citizens. Some of these rights include:
The Right of Access – French website users maintain the right to ask the data controller what types of personal information they might possess about them, and request that it be disclosed in full to the user.
The Right to Data Portability – Users may request access to any relevant data being held by controllers and are free to store portable data elsewhere, or transfer it from one service to another.
The Right of Rectification – Sometimes the data stored on individuals may not be entirely accurate. Users may request the correction of inaccurate information and then access to rectified information.
The Right to Object – Users maintain the right to object to the distribution, transmission, storage, or fulfillment of data.
CookieScript and the Updated CNIL Guidelines
CookieScript can be used to help your company maintain compliance with the updated CNIL regulations. We offer an easy platform for your users to personalize their tracking preferences in the processing of their information.
Our software comes with a variety of tools, including third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations into 34 languages, and much more.
Frequently Asked Questions
What is the CNIL?
The CNIL is a French regulatory body that protects the data privacy rights of all French citizens. The organization is also responsible for educating citizens to their data privacy rights and helping them to understand what websites can and cannot track.
When did the updated CNIL guidelines go into effect?
The updated guidelines were written in the fall of 2020 and went into effect in April of 2021. Website owners are now expected to follow these guidelines.
How does the CNIL impact cookie regulation?
There are several key factors to cookie regulation addressed in the updated version of the CNIL guidelines. These are the ability to withdraw consent, defined consent objections, and the use of cookie walls.
What is informed consent for cookies?
Organizations and website owners must obtain informed consent before using any cookies or trackers with the end-user. This means that the questions must be framed clearly and the end-user must take positive action in order to provide such consent. The language used must be clear and direct, without any industry jargon.
What data privacy rights do French citizens have under the CNIL?
French citizens have several data privacy rights provided to them under the CNIL including the right of access, the right to data portability, the right to rectification, and the right to object. A platform such as CookieScript can help individuals maintain these rights as they navigate your website.