The new CNIL guidelines and recommendations on cookies and tracers of all types.
The guidelines (deliberation 2020-091) and the CNIL recommendations (deliberation 2020-092) of September 17, 2020 specify the rules on consent, in the extension of the ePrivacy Directive (2002/58/EC) and the guidelines of the European Data Protection Board of May 4, 2020 (5/2020), the GDPR and article 82 of the Data Protection Act, previous CNIL deliberations and decisions of the Council of State.
Tracers that are not purely technical must be the subject of information and consent. This is the principle set out in article 82 of the Data Protection Act.
This concerns in particular "HTTP cookies", by which these reading or writing actions are most often carried out, but also other technologies such as "local shared objects" sometimes called "Flash cookies", "local storage" implemented within the HTML 5 standard, identifications by calculation of the terminal fingerprint or "fingerprinting", identifiers generated by the operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc. .), hardware identifiers (MAC address, serial number or other identifier of a device), etc”.
The guidelines specify that this principle applies regardless of whether the data collected is personal or not, without of course excluding the GDPR and the Data Protection Act which remain applicable and have priority on the subject of personal data – “sometimes directly identifying (for example, an email address) and often indirectly identifying (for example, the unique identifier associated with a cookie, an IP address, an identifier of the terminal or of a component of the terminal of the user, the result of the fingerprint calculation in the case of a “fingerprinting” technique, or an identifier generated by software or an operating system)”.
All of the players involved in audience measurement trackers that process personal data are considered joint controllers and must comply with French regulations.
“The Council of State ruled, in its decision of June 6, 2018, that the obligations incumbent on the site editor include that of ensuring with its partners, on the one hand, that they do not issue, via the publisher's website, trackers that do not comply with the regulations applicable in France and, on the other hand, that of taking any useful steps with them to put an end to shortcomings”.
In terms of subcontracting:
“The Commission recalls that the publisher of a site which deposits tracers must be considered as a data controller, including when it subcontracts to third parties the management of these tracers set up for its own account”, and “that an actor who stores and/or accesses information stored in a user's terminal equipment exclusively on behalf of a third party must be considered a processor. It recalls, in this respect, that if a subcontracting relationship is established, the data controller and the subcontractor must draw up a contract or another legal act specifying the obligations of each party, in compliance with the provisions of the 28 GDPR”.
The CNIL indicates that "the possibilities of setting browsers and operating systems cannot, on their own, allow the user to express valid consent".
On cookie walls (the user cannot access the site if he does not accept cookies), the CNIL indicates that the method is lawful but that it should not exempt precise information from being provided on the different purposes pursued by the processing carried out, and thus recommends, as can already be seen on certain sites, that second-level information be provided, allowing the user to personalize his choices.
A global acceptance of the general conditions of use of the site does not respect the principle of specific consent.
Consent implies positive action. Simply continuing to navigate or using default pre-checked boxes is insufficient. However, this is not to interfere with navigation. Refusal and withdrawal of consent must be facilitated.
Guidelines and recommendations give suggestions, indications and examples.
The recommendation suggests solutions for keeping proof of consent, for example, “the different versions of the computer code used by the body collecting the consent can be escrow from a third party, or, more simply, a condensate (or “hash”) of this code can be published in a timestamped manner on a public platform, in order to be able to prove its authenticity a posteriori”.
Cookie law: CNIL recommendations
Data transfer: assessing foreign legislation
Consult a lawyer specializing in computer law