The French Data Protection Authority (Commission nationale de l'informatique et des libertés - CNIL, the independent French administrative regulatory body whose mission is to ensure that data privacy law is respected), has adopted new guidelines on cookies and other tracers.

The guidelines highlight that stakeholders are required to obtain the consent of users before any operation to using cookies and other tracers, in accordance with Article 82 of the French Data Protection Act (Loi informatique et liberté) (Article 5 (3) of the European Directive 2002/58/CE). This obligation was, of course, reinforced by the entry into force of the General Data Protection Regulation (GDPR), on 25th of May 2018. However, whether or not the information (stored and/or accessed) is personal data within the meaning of the GDPR is not a prerequisite for the application of these guidelines on cookies and tracers.

Article 82 of the Data Protection Act provides that users of an electronic communications service, such as a website or a smartphone application, must be informed in a clear and complete manner of the purpose of any access to information already stored on their device or of any registration of information on their device, and of the means available to the user to oppose such measures.

The guidelines recall most of the legislation applicable to tracers and cookies, and are designed as a guide for stakeholders to explain good practices regarding cookies and tracking software. More importantly, the new guidelines include two new features that merit special attention:

  • First, the user must have expressed her/his acceptance in a free, specific, enlightened and unambiguous manner by a clear declaration or positive act. The CNIL’s view is that simply scrolling down or swiping through the website or an application cannot be considered as a valid expression of the consent to the implementation of cookies by users. They must express their will in a positive act, e. g. by a checkbox or a button to activate.
  • Secondly, stakeholders must be in a position to prove that consent has been properly obtained. From a practical standpoint, this will no doubt mean having to archive or otherwise store proof of acceptance of the cookie or tracer policy in retrievable fashion.

The guidelines adopted on 4 July will be followed by a new CNIL recommendation that will specify the practical procedures for obtaining and storing consent. The CNIL intends to consult with professionals by the end of the year, as a preliminary step to adopting a new recommendation. The CNIL will then open the draft to a period of public consultation. The final recommendation should be published in the first quarter of 2020.

After the publication of the future recommendation, a six-month phase-in period will be granted to stakeholders to comply with these new provisions. Therefore, companies have about a year to comply and to integrate these new rules.