On 5 December 2013, the French data protection authority, the CNIL, published new guidance (with supporting user-friendly factsheets) on the use of cookies by businesses operating in France. The guidance updates the CNIL’s informal recommendations on the use of tracing technologies first published at the end of 2011. All businesses using cookies must familiarise themselves with this new guidance and fine tune their arrangements on cookie use, or risk sanctions from the CNIL.
Background
Article 5.3 (as amended) of the EU Privacy Directive regulates the use of cookies. Article 5.3 was recently amended to require website operators to give users clear and comprehensive information about the use of cookies on their site and obtain users’ prior opt-in consent to cookie use. Each EU Member State was required to implement this amendment into national law, with effect from 26 May 2011. In France, implementation was via article 32 II of the French Data Protection Act. The CNIL’s new guidance explains what businesses need to do to ensure compliance with the consent requirement.
When is consent needed ?
The CNIL’s guidance confirms that the reference to ‘cookies’ in the legislation must be given a broad interpretation to encompass all tracing technologies. The guidance also confirms that the legislation applies to all cookies stored or read, including whilst surfing on a website, reading an email or installing or using software or a mobile app, whatever the operating system, the navigation or the terminal used.
The guidance confirms that prior user consent is generally required for cookie use and in particular for:
- cookies related to targeted advertisements;
- tracing cookies created by social networks, such as sharing buttons; and
- certain audience measuring cookies (such as those for Google analytics).
The guidance clarifies that some cookies, however, are exempt from the obligation of prior consent, specifically:
- cookies that are strictly necessary for surfing or the provision of an online communication service expressly requested by the user (the guidance gives a list of examples); and
- certain audience measuring cookies, that comply with the CNIL specifications.
User consent must be freely given. That is, users must not be denied a right to use a service because they have not consented to cookie use.
How to obtain consent
The CNIL recommends a two -step approach to obtaining consent:
- Firstly: the website must have a banner on the home page that complies with the CNIL recommendations;
- Secondly: the user must be informed in a simple and intelligible way (on a dedicated page) of how they may consent or refuse to all or some of the cookies.
The information must be clear and set out full details about each type of cookie used on the site and the reasons why each cookie is used.
Who is affected?
The obligation to obtain prior consent particularly affects website editors, editors of operating systems, applications, advertising networks, social networks and editors of audience measurement solutions. The CNIL has made it clear that an editor that facilitates the use of cookies, which are read by a third party (such as a marketing company, social network or audience measurement tool), will be jointly liable with that third party for any failure to obtain consent to cookies.
Duration
The CNIL recommends that the validity period for the consent to the storing of cookies is thirteen months, at most. After this time, further consent must be sought. Therefore, all cookies must have a maximum life span of thirteen months after first installation.
Next steps
All businesses using cookies must familiarise themselves with this new guidance and fine tune their arrangements on cookie use to ensure compliance with the guidance, or risk sanctions from the CNIL.