On 21 January 2020, the CNIL launched a public consultation on the proposed guidelines for cookies and other trackers, which is open until 25 February 2020.

The proposed guidelines are presented as “non-binding” and aim to assist organisations to comply with the regulation by providing practical examples of how to obtain consent. However, the CNIL indicates that organisations may use other methods to obtain consent, provided that they comply with the guidelines. Nevertheless, the practical examples are a clear indication of what the CNIL expects.

Before issuing these recommendations, the CNIL consulted representatives of industries in the ad-tech world and non-governmental organisations. However, the former believe that the draft text does not sufficiently reflect their concerns. They are worried that the proposed guidelines will make it more difficult for certain websites to monetize their content by using tracking cookies that allow targeted ads.

The CNIL also published survey results of a poll of approximatively 1,000 internet and app users. Unsurprisingly, users want more transparency and control over their data. However, it is more surprising that 76% indicate that they are consenting to cookies in general, (25% always and 51% at least occasionally). More specifically, 59% consent to cookies for audience measurement, 55% for personalization of content and 44% for behavioural advertising. At a conference in Paris on 12 February 2020, a CNIL representative stated that the CNIL relied on these figures to consider that the implementation of the guidelines will not adversely affect the advertising industry. However, this survey is based on a situation where the respondents had unlimited time to respond to a questionnaire. One question is, how will users react when faced with consent requests at the time when they want to access a website or an app?

In order to give an idea of what the guidelines entail, the figures below are examples from the CNIL’s proposed guidelines.

  • The cookie policy should be presented in a layered fashion. From the outset, there would be a short summary on the cookie panel. A “banner” no longer seems the appropriate word to use, given the amount of information it will contain.
  • If the first page offers the possibility to “accept all” cookies, it should then offer, in exactly the same manner, the possibility to “refuse all” cookies (same colour, same font, same size and side-by-side) in addition to the option to “personalize the choices”.
  • It is possible to offer a delay of choice to the users, in which case no cookies or similar technologies should be deployed until the user has given consent. A “cross” button should be inserted to allow users to close the consent interface and not make a choice.

Figures 2, 3 and 4

  • The layered approach should allow consent on a purpose-by-purpose basis (as well as information on all cookie providers/controllers) by scrolling down and clicking on links.
  • Through this process, information should also be provided on all of the data controllers and about whether users are giving consent to be tracked on other websites/applications. Consent can be obtained via on/off sliders (deactivated by default), check boxes (not pre-checked) or equivalent means.

 

Figure 5

  • Each time there is an important change, users should be informed of this and their consent should be requested each time.
  • Users should be able to change their options at any time, either by a static icon or a hyperlink at the bottom of each web page.

The guidelines also cover other aspects, such as the duration of the consent or refusal of the cookies, cookies that are exempt and how to keep a record of evidence of consent. Notably, the CNIL considers that, in many cases, the publishers of the website or mobile app are most likely to be able to provide users with information on cookies and tracers and to seek their consent. This is due to the control that they exercise on the interface of collection of choices and the direct contact that they have with the user.

After the end of the consultation, the CNIL will take into account any comments raised and a final report will be published. The CNIL indicated on its website, in July 2019, that it would carry out inspections after a period of six months to enforce the guidelines.

Some ad-tech companies feel that these guidelines will be quite a challenge to implement, especially for publishers. Moreover, such guidelines will have to be read in conjunction with those of other supervisory authorities and there does not seem to be a harmonised approach considering, notably, the approach taken by the Spanish authority. During the above-mentioned conference in Paris on 12 February, a representative of EPDB indicated that national regulators discussed the lack of harmonisation at their January meeting and decided to revise the consent guidelines at the EDPB’s March 19–20 meeting to try to achieve a more harmonised approach.