Cookies and other tracking technologies have received a lot of attention in the last few months by regulators charged with enforcing data protection and ePrivacy laws. The Irish data protection authority, the Data Protection Commission (DPC), already issued an enforcement alert to organisations; stating that they would begin enforcing new cookie rules by 5 October 2020. This month, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), followed suit, stating that they would begin enforcement of their newly released cookie guidance at the end of March 2021. This piece examines the revised CNIL guidance, with particular attention to any links with the DPC guidance and guidance from the UK’s Information Commissioner’s Office (ICO). Specifically, it identifies areas of similarity that may indicate emerging areas of alignment and harmonisation across Europe.
Consent
According to the revised CNIL guidance issued this month, as well as ICO and DPC guidance, it is clear that simply visiting a site and navigating around it cannot be considered as a valid provision of consent to the use of cookies. Instead, a positive, opt-in consent must be obtained to use all but necessary cookies and other trackers on a website. Users must be provided with an “I accept” button, and inaction with respect to cookies must be interpreted as a refusal to have cookies or other trackers active on their device.
- ✔ ICO
- ✔ DPC
According to the CNIL, withdrawing or refusing consent for trackers and cookies should be “as easy as accepting them”. For example, you cannot have an “Accept all” button with a “Manage Settings” button; instead, an “Accept all” button must be accompanied by a “Reject all” button. Rejecting cookies should not require more “clicks” than accepting them. This aligns with ICO guidance. In contrast, the DPC is allowing more flexibility, and they have given examples (e.g., in their Cookie Sweep Report p.18) of CMP tools that use a “Manage Settings” approach.
- ❌ ICO
- ✔ DPC
Like the DPC and ICO Guidance, it is clear that the CNIL considers that consent cannot be “nudged” through design features such as colour, prominence or ease of interaction.
- ✔ ICO
- ✔ DPC
Additionally, the CNIL notes that it is best practice to set an expiration period of six months on cookies that are based on consent. This aligns with DPC guidance; however, the ICO has not recommended a specific retention period.
- ✔ ICO
- ❌ DPC
Transparency
Site users must be clearly informed of the purpose of trackers, the consequences of accepting or rejecting trackers, and the identity of data controllers and other actors using the trackers. This is well aligned with ICO and DPC guidance.
- ✔ ICO
- ✔ DPC
Strictly Necessary
Trackers, or cookies that are necessary for functionalities such as authentication, remembering shopping cart contents, or those allowing sites to keep some content behind subscription walls do not require consent. This is also well aligned with ICO and DPC guidance.
- ✔ ICO
- ✔ DPC
Analytics Cookies
According to CNIL’s guidance, some analytics cookies may be exempt from consent requirements. According to some studies and opinions, these analytics cookies may be limited to those whose only purpose is measuring audience characteristic on behalf of the site operator, collect anonymised information, store that information for a limited period of time and do not combine that information with other sources or share it with third parties. The DPC has not been equally explicit about first-party analytics cookies, although they have noted that such a configuration is unlikely to be an enforcement priority. In contrast, the ICO has explicitly stated that analytics cookies require consent.
- ❌ ICO
- ❌ DPC
Fairness & Accountability
Records of consent for cookies should be accompanied by storage of information on cookie rejection, to avoid individuals having to constantly reject cookies every time they visit the site.
- ✔ ICO
- ✔ DPC
Trackers and cookies that allow monitoring on external websites, other than the one being visited, should be subject to consent on each of the external sites that are tracking a user’s activity. Neither the ICO nor the DPC explicitly treat this issue in their guidance.
- ❌ ICO
- ❌ DPC
Finally, although previous versions of the CNILs guidelines banned so-called “cookie walls”, the revised guidance states that individuals must be clearly informed of the consequences of rejecting cookies in these cases, and the lawfulness of the cookie wall must be assessed on a case-by-case basis. The DPC’s position on cookie walls is somewhat nuanced and they have not treated this issue as explicitly, but they state that users should not experience detriment if they reject cookies. In contrast, the ICO seems to accept cookie walls in some circumstances.
- ✔ ICO
- ❌ DPC
Based on this analysis, it seems that rules and guidelines are becoming more harmonised in some areas. Organisations can rely on the position – shared by several authorities – that inaction on the part of a site visitor should always be interpreted as rejection of cookies. Furthermore, design choices must be carefully scrutinised to make sure that no “nudging” via colour choice, prominence, etc. is being used to influence the visitor’s selection. Visitors must always be told about the purpose of cookies and the identity of the data controller. However, cookies necessary for core functionalities can still be used without consent.
These areas of convergence provide clear guidance for organisations operating virtually across borders.
Areas where harmonisation has not yet progressed include: a position around the ease of rejecting cookies; specific recommendations on cookie retention periods; the use of analytics cookies owned by site operators; the use of cookie walls and the rules for monitoring those who consent to cookies across websites. While these appear to create potential areas of complication; consensus may yet settle around some of them, since different regulators are working to different timelines.
Trilateral’s Data Governance and Cyber-Risk Team offers data governance services that can help your organisation develop policies and procedures for ongoing compliance with the latest governance standards. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.
