On October 1st, 2020, the French administrative body, CNIL (Commission nationale de l’informatique et des libertés) updated its guidelines and recommendations regarding cookies and cookie consent. The new guidelines have been operational since April 2021.
The CNIL is a regulatory body that handles data privacy legislation in France. It’s responsible for issuing and enforcing the rules and regulations regarding data compliance within the territory.
Central to CNIL’s guidelines is the free nature of consent. When it comes to accepting cookies, a website user’s consent must be freely given. This is a fundamental issue for websites that use cookie walls. Since cookie walls only allow access to a site if the site’s cookies are accepted, they remove any ‘free’ choice a user has to provide consent.
Now, the CNIL hasn’t introduced a blanket ban on cookie walls. So long as a website provides users with accurate and reliable information about the consequences of accepting or denying consent, cookie walls are generally allowed.
Creating a Clear Picture
The CNIL requires a user’s consent to be managed with complete transparency — that is to say, websites can’t request a single consent for cookies that have different functions. Since such consent fails to fully inform users of what they’re actually agreeing to, it restricts their freedom of choice and isn’t regarded as consent in any meaningful way.
When it comes to individual cookie types and their functionalities, websites must grant users precise information about each individual cookie in order for users to grant their ‘informed’ consent. To help clarify the picture, websites must also reveal the identity of any data administrators or third parties who are involved in the creation, or use, of the cookies.
Of equal importance here is that any data a website supplies about its cookies should be delivered in simple, easy-to-understand terms — and not masked behind technical and legal terminology. Once again, a user’s consent must be granted in a meaningful way.
In order to gain a user’s informed consent, a website must provide information regarding the following…
When it comes to what is considered an act of user consent, CNIL stipulates that it must be affirmative action, such as clicking an ‘I consent’ or a ‘yes’ button. Implying user consent from inaction — such as the user simply continuing to browse the site — will not qualify as a form of consent. Further to this, any inaction by a user must be considered a rejection of a site’s cookies.
CNIL also states that if a user grants consent and then changes their mind, they must be given a straightforward method to withdraw their consent.
Needless to say, CNIL makes exceptions for cookies that are essential to a website’s functionality, and for those used for audience measurement purposes. Such cookies don’t require user consent, as long as they collect data anonymously and are not used for personal identification purposes.
Comply with CNIL cookie privacy laws
CookieHub helps you protect your users privacy in France by complying to strict cookie consent laws.
Explore pricing plans
CookieHub is a subscription service that offers flexible pricing plans to suit the needs of websites of all sizes. Find the plan that works for you.