On October 1, 2020, the French Data Protection Authority (CNIL) published a revised version of its 2019 guidelines on cookies and similar technologies. The revised version was published to take into account the GDPR regulation on cookies as well.
What is CNIL?
CNIL or Commission Nationale de l’informatique et des libertés (National Commission on Informatics and Liberty) is a French administrative regulatory body that has the power to enforce the data protection laws in France. CNIL is responsible for enforcing all the below three laws in the country.
- French Data Protection Act
- ePrivacy Directive
It also holds the power to receive complaints and to issue fines for the violation of laws.
Who will be Subject to CNIL?
If your business falls into any of the following categories, you are required to comply with it.
- Is based in France and french territories overseas
- Collects and/or processes personal data of citizens and residents of France and french territories overseas
These are the same applicability principles as in the GDPR.
What are the Requirements for Cookie Compliance under CNIL?
Explicit User Consent
User should allow consent with a clear affirmative positive action (such as clicking on “I accept” on a cookie banner). User’s inaction, scrolling or continued browsing, etc., cannot be taken as consent and no cookies other than the necessary ones should be put in the users’ device until explicit consent is received.
Option to Withdraw Consent
Users should be able to withdraw their consent for cookies easily and at any time.
Purpose of Cookies
Users must be clearly informed of the purposes of the cookies before consenting, along with the consequences of accepting or rejecting cookies.
Proof of Consent
Businesses that seek consent for cookies should provide, at any time, proof of the valid collection of the free, informed, specific and unambiguous consent of the user.
Following is an infographic that will give you a quick idea of the compliance requirements under CNIL.
How to Ask Consent for Cookies Under CNIL?
Both CNIL and GDPR have similar requirements when it comes to seeking consent from the users’ on the rendering of cookies. They are as shown below.
- The consent must be given freely. The user should be free to choose whether to give consent for cookies or not.
- The consent must be specific. You have to obtain consent for each purpose of data collection. This means that if you have obtained consent for analytics purposes, you need new consent for data collection for marketing purposes.
- The consent must be unambiguous. You have to show an ACCEPT and REJECT button. Showing only the ACCEPT button is not enough. The user should be able to take affirmative action on your website.
Cookies Exempted from the Collection of Consent by CNIL
Although asking explicit consent is necessary under CNIL, it exempts certain cookies to be allowed without users’ consent. Following is the list of cookies exempted from the collection of consent.
- Cookies intended for authentication with a service
- Cookies used to remember the cart items on an eCommerce site
- Certain cookies intended to generate traffic statistics
- Cookies allowing paid sites to limit free access to a sample of content requested by users
- Cookies storing users’ consent choice
- User interface customization cookies
- Language preference cookies
How Users’ Silence Should be Interpreted Under CNIL?
Following are the two cases where you can set cookies on your users’ devices.
- User has expressed his/her consent for cookies
- Cookies belong to the exempted category (as listed in the above section)
When to Seek Renewal of Consent Under CNIL?
In principle, it is necessary to keep the choices expressed by the user, whether it is his consent or his refusal. Thus, while browsing the website, they will not have to reformulate their choice from page to page.
In general, it is therefore recommended to save the choice expressed by the Internet user so as not to request him again for a certain period.
The retention period of the choices will have to be assessed on a case-by-case basis (with regards to the nature of the website or application concerned and the specificities of its audience). Generally, it is good practice to keep the choices for a period of 6 months.
What is CNIL’s Say on Cookie Walls?
Cookie walls are website designs that require a user to accept cookies before being able to access the contents of the website. While the 2019 guidelines completely forbid the use of cookie walls. As a result of France’s court ruling against the law, CNIL has edited its Guidelines to state that the lawfulness of cookies walls must be assessed on a case-by-case basis.
If a cookie wall is used, the user should be clearly notified that it is impossible to access content without consent. Otherwise, the cookie wall or banner should shortly go away, so it does not interfere with the user’s access to the content or otherwise sway the user to consent.
What is the Difference Between CNIL Guidelines and Recommendations?
CNIL has put forward both guidelines and recommendations. CNIL guidelines on cookies and other tracers inform you of the law applicable while a user interacts with the internet via the interface of a smartphone, computer, tablet, etc.
The recommendation is meant to guide the professionals concerned in their compliance process. It offers examples of practical methods for obtaining consent per the applicable rules but also to meet the requirements set out in article 82 of the Data Protection Act.
What are the Consequences of Non-compliance and How is it Implemented?
CNIL issues a fine against an organization in case of an infringement to the GDPR or French Data Protection Act in two ways.
- Following a complaint or a report of violation to the CNIL
- Following an investigation carried out by the CNIL
In both cases, the chair of the CNIL may appoint a rapporteur among the CNIL’s commissioners, except the members of the restricted committee, and refer to the restricted committee. The restricted committee is composed of five CNIL’s commissioners and a chairperson elected among them.
The organization incriminated is informed, and documents are exchanged during the written procedure between the rapporteur and the organization. The restricted committee then receives all the documents.
During the procedure, the incriminated organization may be heard if the rapporteur considers it is useful. In this case, a written report will confirm the hearing.
The penalty can be monitory or non-monitory. In monitory terms, the incriminated business or organization will be forced to pay an amount of up to 4% of the total worldwide turnover or up to £20M, whichever is greater. In non-monitory terms, there will be a warning, injunction with periodic penalty payments, etc.
When Will CNIL be Enforced?
As it had announced, it estimates that the deadline for compliance with the new rules (that were published on 1st October) should not exceed six months, i.e. by the end of March 2021 at the latest.
CNIL will then conduct audits and bring enforcement actions. As always, operators must also ensure that they are complying with both the ePrivacy Directive and the General Data Protection Regulation.
How to Easily Comply with CNIL?
You can make the CNIL compliance journey easy for your WordPress website with the help of the CookieYes GDPR Cookie Consent and Compliance Notice plugin. The plugin makes cookie management easy with its powerful set of features.
The plugin provides you with the following features.
- Autocookie scan – The plugin automatically scans your website for cookies.
- Cookie Consent banner – You can create and customize consent banner to meet the requirements mentioned in the guidelines of the laws.
- Granular consent option – Seek explicit consent for cookies by informing users regarding the use of each type of cookie on your website.
- Cookie consent log – Record your users’ consent with relevant data such as cookies consented to, date, time, etc.
- Automatic script blocking – You can enable script blocking of cookies from third-party plugins and services
In the wake of the new set of guidelines put forth by CNIL, you don’t have too long left to comply with it. So get started on your compliance journey today with the CookieYes GDPR Cookie Consent and Compliance Notice plugin.