Updated: February 17, 2022:
The subject is governed by Article 82 of the Data Protection Act transposing Article 5(3) of Directive 2002/58/EC of July 12, 2002 known as "privacy and electronic communications" (e-Privacy Directive on metadata), amended in 2009 (Directive 2009/136/EC).
When the cookie processes personal data the GDPR, directive n° 2016/680 of April 27, 2016, known as the “Police-Justice” directive, texts which specifically address the subject of the processing of personal data (as opposed to d other types of data), are also applicable. These texts are also transposed or taken up by the Data Protection Act.
The administrative bodies in charge of these matters: CNIL (draft recommendation of January 14, 2020, still in draft form at present), CEPD (European Data Protection Board, ex-"G29" guidelines on the consent of Nov. 28, 2017, WP 259 rev. 01)) delivered their approaches, as did the CJEU (CJEU Oct. 1, 2019, case C-673/17, Planet49).
We can remember that, for any type of tracer (and not only the traditional web cookie), the specific and positive consent of the Internet user on the purposes and the persons in charge of the processing, on the exact scope of his consent (its duration in particular) , is required, especially when it comes to audience trackers.
This presupposes clear and prior information, under a specific “policy”.
Even the simply “technical” cookie, necessary for the proper technical functioning of the service, should not also escape this necessity, according to the CNIL.
The mere referral of the Internet user to the configuration of his browser to block or select cookies is not sufficient.
The publisher of online content cannot be discharged from liability on the technical intermediary or the communication agency which he would call upon, both with regard to audience tracers and tracers deposited by third parties. , in the sense that he can always be prosecuted on the front line.
A compliance analysis will therefore focus on qualifying the different types of cookies, their purposes, their managers, to identify the exact legal regime applicable to them, then to set up the appropriate consent procedures.
A very detailed contract with a consent manager may be necessary, especially since a website is constantly evolving and consents are given for limited durations and purposes, tracers may change or be modified: consent will be therefore to be adapted or requested frequently. The user must also be able to withdraw his consent at any time.
Proof of consent and its compliance must be reportable, involving audits and escrow and archiving mechanisms.
The state Council June 19, 2020 questioned the CNIL's recommendation on wall cookies suggesting that the ability to prohibit access to a site in the event of refusal of cookies had legitimacy.