Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On 19 July the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020).
The new guidelines confirm that continuing to browse a website after its cookie banner is displayed will no longer be considered to be valid consent for cookie use in France. Operators that use cookies and trackers will have to be able to prove that they have obtained affirmative consent from the user. Enforcement of the guidelines will, however, be delayed for around a year (see the Grace Period provision below).
The new guidelines apply to all types of operations involving cookies and trackers on any type of device, including smartphones, computers, connected vehicles and any other object connected to a telecommunications network open to the public.
The guidelines clarify that cookies and trackers cannot be used until the user has expressed his or her freely given, specific, informed and unambiguous consent. In order to be validly obtained, consent must fulfil the following conditions:
An operator using cookies and trackers is considered to be a controller and is therefore fully responsible for obtaining valid consent. Third parties using cookies and trackers are independently responsible for obtaining valid consent.
Where the use of cookies and trackers involve several operators, those operators can either be considered separate controllers, joint controllers or processors. An operator is considered a joint controller when it jointly, along with one or more other operator(s) (also acting as controller(s)), determines the purposes and means of processing. Under Article 26 GDPR, joint controllers are required to establish their respective compliance obligations in a transparent manner and to enter into an arrangement (a contract) about it. The CNIL’s new guidelines specifically refer to Article 26, and state that this requirement applies, in particular, to the collection and demonstration of valid consent. An operator is considered a processor when it uses cookies and trackers exclusively on behalf of the controller and does not use the collected data for its own purposes.
The guidelines do not require prior consent:
Regarding cookies and/or trackers used to measure traffic or test different versions of the site or application, the CNIL guidelines provide that the purpose of the system measuring traffic, to be exempted, must be limited to (i) audience measurement of the content viewed in order to allow the evaluation of published content and the ergonomics of the site or application, (ii) segmentation of the website audience into cohorts in order to evaluate the effectiveness of editorial choices, without this leading to targeting a single individual and (iii) dynamic modification of a site in a global way. The personal data collected must not be cross-referenced with other processing operations (customer data or statistics on visits to other sites, for instance) or provided to third parties. The use of trackers must also be strictly limited to the production of anonymous statistics. The scope of such system must be limited to a single website or mobile application publisher and must not allow the tracking of the website user’s browsing on other websites or mobile applications.
Users must, however, still be informed about the existence of such cookies or trackers and their purpose.
Operators have six months from the publication of the CNIL’s final guidelines, (expected at the beginning of next year) to comply with the new rules. Notwithstanding this grace period, however, the CNIL will continue to monitor and enforce compliance with existing and unchanged data protection rules.
Authored by Patrice Navarro