Overview
The French data protection authority (the CNIL) published on October 1, 2020, the final version of its Guidelines and Recommendations on cookies' compliance with EU privacy law.
While the Guidelines, first adopted on July 9, 2019, are amended to consider the decision of the French Supreme Administrative Court (Conseil d'état) of June 19, 2020, (that struck down the general prohibition of cookies walls proposed by the CNIL in its initial guidelines), the final version of the Recommendations follows a period of public consultation with stakeholders.
What's New? Not Much
The Guidelines. The Guidelines outline the EU legal framework applicable to the use of cookies and similar tracking technologies on website and mobile applications. The current Guidelines do not include anymore a general prohibition on the use of the so-called "cookie walls," the practice of making access to a website or mobile application conditional on consent from the users on the installation of cookies. The CNIL amended the Guidelines following the decision of the Conseil d'état that considered that the authority could not, by way of soft law, infer such a prohibition from the sole requirement of free consent under the GDPR. The Guidelines, as adopted, still suggest that cookie walls might not be compliant with the current legal framework but now refer to the need to conduct a case-by-case assessment. The amendment is formal (as was the decision from the Conseil d'état); the European Data Protection Board and the majority of EU data protection authorities rule out cookies' walls, on the face of a lack of valid consent (i.e., not presenting the user with a genuine choice).
The Recommendations. The Recommendations aim at assisting organizations in navigating the various EU requirements applicable to cookies and in translating those legal requirements into practical steps for compliance. Various aspects related to cookies practices are covered by the Recommendations, including, amongst others, users' interface and cookies' banners layouts, cookies' lifespans, use of global consent, description of cookies' functionalities, etc. Those elements were already covered by the draft version of the Recommendations, and you access our comments to the draft here. Some of the limited changes introduced in the final version relate to: (i) a slightly lighter approach in relation to the list of third parties placing cookies that controllers should provide (for instance with fewer details on how changes to the list should be highlighted to users); or (ii) the recommendation to require, by way of contractual settings, the party in charge of obtaining consent to provide evidence that such consent was indeed obtained (rather than a loose undertaking to comply).
"Knowing is not enough. We must apply. Being willing is not enough. We must do" (Leonardo da Vinci)
The CNIL Guidelines and the Recommendations are now there to stay and are part of a patchwork of different approaches taken by data protection authorities in relation to cookies' practices.
Organizations should assess the use they make of tracking technologies and try to navigate the current EU legal framework to identify their approach to compliance. Finding the way is not an easy task, as this requires organizations to consider how to harmonize the different stances taken by data protection authorities in the various EU member states, likely by applying the strictest approach. An additional layer of complexity in such exercise comes from the fact that very few consent management platforms enable organizations to comply with the EU legal framework at this stage.
Although the CNIL has set a grace period until March 2021, cookies are high on enforcement agendas in Europe. As an example, the Irish Data Protection Commission grace period ends today; it is now time to act.