The guidelines (deliberation 2020-091) and the CNIL recommendations (deliberation 2020-092) of September 17, 2020 specify the rules on consent, in the extension of the ePrivacy Directive (2002/58/EC) and the guidelines of the European Data Protection Board of May 4, 2020 (5/2020), the GDPR and article 82 of the Data Protection Act, previous CNIL deliberations and decisions of the Council of State.
Tracers that are not purely technical must be the subject of information and consent. This is the principle set out in article 82 of the Data Protection Act.
This concerns in particular "HTTP cookies", by which these reading or writing actions are most often carried out, but also other technologies such as "local shared objects" sometimes called "Flash cookies", "local storage" implemented within the HTML 5 standard, identifications by calculation of the terminal fingerprint or "fingerprinting", identifiers generated by the operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc. .), hardware identifiers (MAC address, serial number or other identifier of a device), etc”.
The guidelines specify that this principle applies regardless of whether the data collected is personal or not, without of course excluding the GDPR and the Data Protection Act which remain applicable and have priority on the subject of personal data – “sometimes directly identifying (for example, an email address) and often indirectly identifying (for example, the unique identifier associated with a cookie, an IP address, an identifier of the terminal or of a component of the terminal of the user, the result of the fingerprint calculation in the case of a “fingerprinting” technique, or an identifier generated by software or an operating system)”.
Joint managers:
All of the players involved in audience measurement trackers that process personal data are considered joint controllers and must comply with French regulations.
“The Council of State ruled, in its decision of June 6, 2018, that the obligations incumbent on the site editor include that of ensuring with its partners, on the one hand, that they do not issue, via the publisher's website, trackers that do not comply with the regulations applicable in France and, on the other hand, that of taking any useful steps with them to put an end to shortcomings”.
In terms of subcontracting:
“The Commission recalls that the publisher of a site which deposits tracers must be considered as a data controller, including when it subcontracts to third parties the management of these tracers set up for its own account”, and “that an actor who stores and/or accesses information stored in a user's terminal equipment exclusively on behalf of a third party must be considered a processor. It recalls, in this respect, that if a subcontracting relationship is established, the data controller and the subcontractor must draw up a contract or another legal act specifying the obligations of each party, in compliance with the provisions of the 28 GDPR”.
Consent :
The CNIL indicates that "the possibilities of setting browsers and operating systems cannot, on their own, allow the user to express valid consent".
On cookie walls (the user cannot access the site if he does not accept cookies), the CNIL indicates that the method is lawful but that it should not exempt precise information from being provided on the different purposes pursued by the processing carried out, and thus recommends, as can already be seen on certain sites, that second-level information be provided, allowing the user to personalize his choices.
A global acceptance of the general conditions of use of the site does not respect the principle of specific consent.
Consent implies positive action. Simply continuing to navigate or using default pre-checked boxes is insufficient. However, this is not to interfere with navigation. Refusal and withdrawal of consent must be facilitated.
Guidelines and recommendations give suggestions, indications and examples.
Evidence :
The recommendation suggests solutions for keeping proof of consent, for example, “the different versions of the computer code used by the body collecting the consent can be escrow from a third party, or, more simply, a condensate (or “hash”) of this code can be published in a timestamped manner on a public platform, in order to be able to prove its authenticity a posteriori”.
Cookie law: CNIL recommendations
Data transfer: assessment of foreign legislation
Consult a lawyer specializing in computer law
Doctissimo
The CNIL, National Commission for Computing and Liberties, recently imposed two fines on Doctissimo, a company operating the doctissimo.fr website. The violations noted mainly concern the retention period of data, the collection of health data, data security and the methods of depositing cookies on users' devices.
The first fine amounts to 280,000 euros for violations of the GDPR, the General Data Protection Regulation. The CNIL collaborated with the European counterparts within the framework of the one-stop shop, because the website receives visitors from all the Member States of the European Union. The second fine is 100,000 euros for a violation of the use of cookies, an exclusive competence of the CNIL.
The CNIL took into account several elements to determine the amount of the sanctions, in particular the nature and the gravity of the violations, the categories of personal data (health data), the number of people concerned as well as the financial situation of the company. The CNIL also pointed out that the company should have exercised particular vigilance when collecting the consent of individuals for the collection of their health data.
It is important to remember that the processing of personal data revealing information about an individual's health is prohibited, except under certain conditions specified by the GDPR. Sanctioned violations include the excessive retention of data from user tests, as well as data from users who have been inactive for more than three years. The absence of a mechanism for obtaining the consent of individuals for the collection of their health data during online tests is also a violation noted.
The CNIL also noted the non-compliance with contractual obligations related to data processing carried out with other entities, as well as the non-compliance with personal data security measures. Indeed, the use of an insecure communication protocol and the insufficiently secure storage of user passwords are also violations observed.
Finally, the CNIL concluded that the company Doctissimo had deprived users of their right to choose the installation of tracers on their device by allowing the deposit of an advertising cookie without obtaining their prior consent. This action had a lasting effect on several million people, given the large number of unique visitors to the website.
The company Doctissimo took measures to comply with the requirements on all the violations, which led to the closure of the procedure by the CNIL. However, she remains accountable for her past actions despite taking steps to comply with the rules.
In conclusion, this case underlines the importance of respecting the rules relating to the protection of personal data, in particular in the sensitive field of health. Companies must be vigilant in collecting the consent of individuals for the collection of their data and ensure optimal security for this data. The CNIL reminds that violations will be sanctioned and that the persons concerned can exercise their rights in terms of protection of personal data.
French 
English