In this article, you will learn what is CNIL – Commission Nationale de l’informatique et des libertés (National Commission on Informatics and Liberty) and how to comply with CNIL.
On October 1, 2020, the French Data Protection Authority (CNIL) published a revised version of its 2019 guidelines on cookies and similar technologies. The revised version was published to take into account the GDPR regulation on cookies as well.
CNIL or Commission Nationale de l’informatique et des libertés (National Commission on Informatics and Liberty) is a French administrative regulatory body that has the power to enforce data protection laws in France. CNIL is responsible for enforcing all the below three laws in the country.
- French Data Protection Act
- GDPR
- ePrivacy Directive
It also holds the power to receive complaints and to issue fines for violation of laws.
If your business falls into any of the following categories, you are required to comply with it.
- Is based in France and french territories overseas
- Collects and/or processes personal data of citizens and residents of France and french territories overseas
These are the same applicability principles as in the GDPR.
Following are the major requirements for cookie compliance under CNIL.
1. Explicit user consent
Users should allow consent with a clear affirmative positive action (such as clicking on “I accept” on a cookie banner). User’s inaction, scrolling or continued browsing, etc., cannot be taken as consent and no cookies other than the necessary ones should be put in the user’s device until explicit consent is received.
2. Option to refuse cookies
Users should be able to refuse cookies with the same ease as they accepted them in the first place.
3. Option to withdraw consent
Users should be able to withdraw their consent for cookies easily and at any time.
4. Purpose of cookies
Users must be clearly informed of the purposes of the cookies before consenting, along with the consequences of accepting or rejecting cookies.
5. Proof of consent
Businesses that seek consent for cookies should provide, at any time, proof of the valid collection of the free, informed, specific, and unambiguous consent of the user.
Following is an infographic that will give you a quick idea of the compliance requirements under CNIL.
Both CNIL and GDPR have similar requirements when it comes to seeking consent from the users on the rendering of cookies. They are shown below.
- The consent must be given freely. The user should be free to choose whether to give consent for cookies or not.
- The consent must be specific. You have to obtain consent for each purpose of data collection. This means that if you have obtained consent for analytics purposes, you need new consent for data collection for marketing purposes.
- The consent request must be well informed. It means that you must inform the user of your privacy practices at the moment of the request. Informing them that you use cookies and presenting them with a link to your privacy policy is a good practice to do.
- The consent must be unambiguous. You have to show an ACCEPT and REJECT button. Showing only the ACCEPT button is not enough. The user should be able to take affirmative action on your website.
Although asking for explicit consent is necessary under CNIL, it exempts certain cookies to be allowed without users’ consent. Following is the list of cookies exempted from the collection of consent.
- Cookies intended for authentication with a service
- Cookies used to remember the cart items on an eCommerce site
- Certain cookies intended to generate traffic statistics
- Cookies allowing paid sites to limit free access to a sample of content requested by users
- Cookies storing users’ consent choice
- User interface customization cookies
- Language preference cookies
The CNIL considers that consent should come exclusively from a positive act. Therefore, any inaction must be understood as a refusal to use cookies.
Following are the two cases where you can set cookies on your users’ devices.
- The user has expressed his/her consent to load cookies
- Cookies belong to the exempted category (as listed in the above section)
In principle, it is necessary to keep the choices expressed by the user, whether it is his consent or his refusal. Thus, while browsing the website, they will not have to reformulate their choice from page to page.
In general, it is therefore recommended to save the choice expressed by the Internet user so as not to request him again for a certain period.
The retention period of the choices will have to be assessed on a case-by-case basis (with regards to the nature of the website or application concerned and the specificities of its audience). Generally, it is good practice to keep the choices for a period of 6 months.
Cookie walls are website designs that require a user to accept cookies before being able to access the contents of the website. While the 2019 guidelines completely forbid the use of cookie walls. As a result of France’s court ruling against the law, CNIL has edited its Guidelines to state that the lawfulness of cookie walls must be assessed on a case-by-case basis.
If a cookie wall is used, the user should be clearly notified that it is impossible to access content without consent. Otherwise, the cookie wall or banner should shortly go away, so it does not interfere with the user’s access to the content or otherwise sway the user to consent.
CNIL has put forward both guidelines and recommendations. CNIL guidelines on cookies and other tracers inform you of the law applicable while a user interacts with the internet via the interface of a smartphone, computer, tablet, etc.
The recommendation is meant to guide the professionals concerned in their compliance process. It offers examples of practical methods for obtaining consent per the applicable rules but also to meet the requirements set out in article 82 of the Data Protection Act.
CNIL issues a fine against an organization in case of an infringement of the GDPR or French Data Protection Act in two ways.
- Following a complaint or a report of violation to the CNIL
- Following an investigation carried out by the CNIL
In both cases, the chair of the CNIL may appoint a rapporteur among the CNIL’s commissioners, except the members of the restricted committee, and refer to the restricted committee. The restricted committee is composed of five CNIL commissioners and a chairperson elected among them.
The organization incriminated is informed, and documents are exchanged during the written procedure between the rapporteur and the organization. The restricted committee then receives all the documents.
During the procedure, the incriminated organization may be heard if the rapporteur considers it is useful. In this case, a written report will confirm the hearing.
The penalty can be monetary or non-monetary. In monetary terms, the incriminated business or organization will be forced to pay an amount of up to 4% of the total worldwide turnover or up to £20M, whichever is greater. In non-monetary terms, there will be a warning, an injunction with periodic penalty payments, etc.
You can make the CNIL compliance journey easy for your WordPress website with the help of the GDPR Cookie Consent plugin by WebToffee. The plugin makes cookie management easy with its powerful set of features.
The plugin provides you with the following features.
- Autocookie scan – The plugin automatically scans your website for cookies.
- Cookie Consent banner – You can create and customize a consent banner to meet the requirements mentioned in the guidelines of the laws.
- Granular consent option – Seek explicit consent for cookies by informing users regarding the use of each type of cookie on your website.
- Cookie consent log – Record your users’ consent with relevant data such as cookies consented to, date, time, etc.
- Automatic script blocking – You can enable script blocking of cookies from third-party plugins and services
- Privacy policy generator – Easily generate a privacy/cookie policy from scratch.
Conclusion
In the wake of the new set of guidelines put forth by CNIL, you don’t have too long left to comply with it. So get started on your compliance journey today with the GDPR Cookie Consent and Compliance Notice plugin. If you are interested in learning about other privacy laws like CCPA and POPIA, we recommend you read the following articles.
California Consumer Protection Act (CCPA) and Cookies: What you need to know, All You Need to Know about Compliance with POPIA.