European Data Protection Digest

CNIL Releases Cookie Guidance

November 4, 2011

By Gabriel Voisin
Associate, Bird and Bird

In France, implementation of the Directive 2009/136/EC (Directive) has been done through the ordinance of 24 August 2011 n°2011-1012 relating to electronic communications (Ordinance). The new cookie rules, which entered into force on 26 August, now require that consent be obtained before cookies are placed.

Accompanying guidance was approved by the French Data Protection Authority (the “CNIL”) on 26 October and was made available on the CNIL’s website on 2 November. The key elements can be summarised as follows.

The term “cookie” will be broadly interpreted

According to the CNIL’s guidance, the term “cookie” also applies to other technology related to cookies, like “flash” cookies, also known as “Local Shared Objects,” and local web storage, also called DOM Storage. The term “cookie” therefore has a wide scope.

No consent needed for specific types of cookies

The following cookies are not covered by the information and prior consent rules:

  • Cookies that are used like a shopping basket on an online retailer’s website;
  • User session cookies (Session ID), for linking the actions of a user which is necessary to provide the service which they have asked for;
  • Cookies that have the sole purpose of contributing to security the user has asked for;
  • Cookies for registering the language spoken by the user--for sites translated into many languages--or other necessary preferences necessary to provide the requested service;
  • Flash cookies that contain elements strictly necessary to make a media player work (audio or video) if the content has been demanded by the user.

The CNIL indicates that, although no prior information is required for that type of cookie, it is nevertheless recommended for operators to give information about the use of cookies in their website’s privacy policy.

Third-party cookies

In the case that a cookie is inserted by a third party--for example, targeted advertising inserted by an advertising agency--the information and consent do not have to be given twice. As such, if an advertising agency gives the information and collects the consent from the Internet user, the operator in charge of the website does not have to repeat this operation for that particular cookie.

Operators established outside of the European Union

If the operator of the website is established outside of the European Union, it can delegate the implementation of the new provisions to a representative established in France. This representative may also be responsible for the Internet users’ data.

Permission means consent for the CNIL

For the CNIL, the use of the word “permission;” i.e. “accord” in French, in the French translation of the Directive, like in the Ordinance, results from an incorrect translation of the Directive, which uses the word “consent.” In the CNIL’s view, the term “permission” therefore refers to the consent defined in Article 2(h) of Directive 95/46/EC, that is to say “any freely given, specific and informed indication of will.”

Browser settings not mature enough for the CNIL

As previously announced by the CNIL in a public statement made available on the CNIL’s website in September, users' consent to cookies must be specific. Browser settings which accept all cookies without distinguishing their final purpose cannot be considered validly expressed prior consent.

For the CNIL, the setting of most browsers--like Firefox, Internet Explorer, Safari or Chrome--can be changed so that the consent of the user will be demanded for each cookie. However, in the CNIL’s view, this solution raises a number of practical and ergonomic problems for the following reasons:

  • On its own, this solution is insufficient, because it does not give “clear and complete” information to the user when consent is requested;
  • The website that wants to use this mechanism does not have the means to establish whether the user’s browser settings have been correctly established;
  • The settings cover all cookies, even those which are exempt from the prior information and consent rules, because the browser does not have any means to make the distinction;
  • The settings are difficult to implement by the user and vary between one browser and another significantly.

Current browsers do not, on their own, provide a setting that meets the requirements of the Ordinance, but the French legislature has provided other possibilities, stating that users’ consent could be obtained by “any other means under their control.” In the CNIL’s view, this could be, for example, a module added to the Web browser, or a Web platform that manages consent.

How to obtain user consent

For the CNIL, mechanisms for collecting user consent can take many forms, like for example:

  • A banner at the top of a Web page, like the one installed on the ICO website;
  • An area of application for consent, which is superimposed on the page;
  • Boxes to tick when registering for an online service.

The CNIL makes clear in its guidance that the above examples are not exhaustive. However, the CNIL also considers that pop-up windows are not recommended because they are often blocked by browsers.

CNIL’s position regarding the advertising industry’s initiatives

The online advertising industry has developed centralised platforms which allow users to express their preferences for the cookies that online advertisers use; e.g., www.youronlinechoices.com

For the CNIL, these platforms conform to the old legislation, but they have not yet evolved to meet the requirements of prior consent laid out in the Ordinance. According to the CNIL, it would not be technically difficult to modify those platforms to make them compatible with the Ordinance. Users could then access a centralised platform that would allow them to express on a case-by-case basis their consent for receiving cookies that correspond to personal choices.

Consent on subsequent visits not needed

For the CNIL, if users have already given their consent--or refused it--for a certain cookie, it is not necessary to ask again for their consent on subsequent visits.

This principle also applies to third-party cookies. Therefore, for example, if an Internet user accepts third-party cookies coming from an advertising agency for behavioural advertising, this consent will be valid on each website that uses ads from that same agency.

Using cookies to store a user’s refusal to accept cookies

For the CNIL, this solution is envisaged: if the user refuses to accept the cookie, it is useful to record this fact so that consent is not unnecessarily sought on subsequent visits. One of the possible solutions consists of using a refusal cookie that memorises that choice.

Since user consent is specific for a particular purpose, users could both:

  • Refuse to give their consent to receiving a cookie that registers, for example, the last articles they have looked at on an Internet shopping site;
  • Give their consent to receiving a cookie that records their refusal to accept the cookie described above.

In practice, the site must offer multiple choices to the Internet user:

  • Accept the cookie;
  • Refuse the cookie and allow them to reconsider on the next visit;
  • Refuse the cookie and record this refusal, using a “refusal cookie.”

Changing the terms of service is not an acceptable method of obtaining consent

For the CNIL, a single document such as the ToS does not collect valid consent for each type of cookie. In addition, the user may wish to accept the ToS but refuse their consent to cookies that enable profiling for advertising purposes.

Website operators are responsible for third-party cookies used on their site

For the CNIL, it is the website operator’s responsibility when the site allows a third party to place a cookie of one of the users of the site. This is the case, for example, if the website operator has an advertising partner.

In case of subcontracting, the CNIL recommends that the obligations of each party are made clear in a written document that is explicit and accepted by both parties.

What are the risks if the new rules are not complied with?

Website operators are liable for an administrative fine of up to €300,000 for any breach of the law. Criminal sanctions also apply.

However, as a conclusive note, the CNIL mentions in its guidance that they are aware that making some sites compliant will be more time-consuming than for others. In case of a complaint, the CNIL will assess the efforts of the site controller to make the site compliant. 

Gabriel Voisin is an associate with Bird & Bird.