Internet use

Data controllers may install cookies or equivalent devices subject to the data subject’s prior consent.

In July 2019, the National Commission for Data Protection and Liberties (CNIL) issued new guidelines about the use of cookies that are also supple- mented by two decisions rendered by the Council of State on 6 June 2018 (No. 412589 – as to means of blocking the placement of cookies) and by the Court of Justice of the European Union on 1 October 2019 (C-673/17 – as to the data subject’s consent). These guidelines are intended to provide reminders of the French rules that apply to the use of cookies and similar

technologies in the light of the strengthened consent requirements under Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR).

These guidelines were followed by draft recommendations that complete the guidelines by providing concrete advice on good practice and practical examples of measures to comply with the requirements of the French legal framework applicable to cookies.

The Council of State ruled on 19 June 2020 to remove one of the parts of these lines that prohibited the ‘cookie wall’, stating that: ‘In particular, the CNIL believed that access to a website could never be conditional on the acceptance of cookies’.

The Council of State censured this section, considering that the commission had ‘exceeded what it can legally do, within the framework of a flexible law instrument’.

On 17 September 2020, the CNIL adopted two documents dealing with cookies, repealing those of 4 July 2019, and supplemented by a recommendation ‘proposing practical methods of compliance when using cookies and other tracers. Non-prescriptive and non-exhaustive’ tracks following a public consultation.

These guidelines were published on 1 October 2020 and became effective on 1 April 2021. They confirm certain major principles.

At first, simply continuing to browse a site can no longer be consid- ered a valid expression of consent.

Consent is required for all cookies other than those necessary for the use of the website or app, whether they are used in ‘logged’ or ‘unlogged environments, and whether they are implemented by the website or app operator or a third party.

Notably, the following categories of cookies require the prior consent of the data subject:

  • cookies related to targeted advertising;
  • social networks’ cookies generated in particular by their buttons of sharing when collecting personal data without the consent of the persons concerned; and
  • analytics cookies.

Regarding analytics, the CNIL considers that these cookies may be exempted from prior consent where the following criteria are fulfilled:

  • they must be implemented by the website operator or its sub-contractor;
  • the data subject must be informed before their implementation;
  • it must be able to oppose it through an opposition mechanism that can be easily used on all devices, operating systems, applications and web browsers. No reading or writing operations must take place on the device from which the data subject objected;
  • the purpose of the system must be limited to:
  • audience measurement of the content viewed to allow the evaluation of published content and the ergonomics of the site or application;
  • segmentation of the website audience into categories to eval- uate the effectiveness of editorial choices, without this leading to targeting a single person; or
  • dynamic modification of a site in a global way; and
  • the personal data collected must not be combined with other processing operations (customer files or statistics on visits to other sites, for example) or transmitted to third parties. The use of cookies must also be strictly limited to the production of anonymous statis- tics. Its scope must be limited to a single site or mobile application editor and must not allow the tracking of the person’s navigation using different applications or browsing different websites;
  • the use of the IP address to geolocate the Internet user must not provide more accurate information than the city. The collected IP address must also be deleted or anonymised once the geolocation has been completed; and
  • the cookies used by these processing operations shall not have a lifetime exceeding 13 months and this duration shall not be auto- matically extended upon new visits. The information collected through the cookies shall be retained for a maximum of 25 months.

The consent must be freely given, specific, informed and unambiguous.

Informed

Before collecting consent, PII owners must ensure that proper informa- tion has been provided to users.

The first layer of information is recommended to provide details about:

  • the purposes of the cookies (eg, targeted or personalised adver- tising, non-personalised advertising, social media sharing, audience measurement or analytics);
  • the list of data controllers who have access to the cookies (and associated data), which should be permanently accessible and regularly updated. The CNIL suggests that consent should be re-sought if the list changes materially (from a qualitative or quan- titative perspective);
  • whether a user’s consent is also valid for tracking his or her navi- gation throughout other websites or apps (and which ones); and
  • the right to withdraw consent at any time and how.

To avoid affecting the user experience, the CNIL suggests that details of the purposes for which cookies will be used could be provided to users in a layered fashion, for example via links or drop-down menus.

Freely-given

Users must be offered a real choice between accepting or refusing cookies through two checkboxes or buttons – for example, ‘accept’ and ‘refuse’ – or equivalents, such as ‘on’ and ‘off’ sliders that should be deactivated by default and not be exposed to negative consequences should they decide to refuse cookies, which is in line with GDPR requirements.

Users must be able to consent or withhold their consent with the same degree of simplicity. This implies that the checkboxes, buttons or sliders should be of the same format and presented at the same level.

A ‘cross’ button should be inserted to allow users to close the consent interface, and not to make a choice. In that case, no cookies should be placed on the user’s equipment. Users should then be asked again to choose between acceptance or refusal until a choice is made. In practice, this approach would require PII owners to record a third alternative (ie, no choice expressed by the user), and to seek consent again at a later stage.

In the case that the user refuses to consent to the use of cookies, his or her consent will not have to be sought again for a certain period. The CNIL considers that this period must be identical to the duration for which the consent would have been recorded.

The CNIL also considers that browsers do not, to date, make it possible to distinguish between trackers according to their purpose, even though this distinction may be necessary to guarantee the freedom of consent.

Specific

The consent of the users should be collected for each type or category of cookies. However, the CNIL acknowledges that users can validly consent to all the purposes at once without preventing consent being specific, subject to the following conditions:

  • all the purposes must have been explained to the user before his or her consent;
  • the user is offered the option to consent for each individual purpose; and
  • an option to refuse all the cookies globally is also provided to the user, in the same manner as the option to consent globally to all purposes at once.
Unambiguous

Implied consent is now prohibited, meaning that continuing to browse the website is no longer deemed to imply consent by the data subjects. A positive action of the data subject is now required. To address this, pre-ticked boxes or pre-slid toggles should be avoided.

Duration of the validity of consent

The CNIL recommends that consent is renewed at regular intervals, depending on the context and extent of the initial consent as well as the user’s expectations. The CNIL considers that a period of six months would be appropriate.

In parallel, the CNIL also considers that the lifespan of a cookie cannot exceed 13 months. This means that two time factors should be considered: the cookie’s lifespan and the time that has elapsed since consent was granted by the user.

Demonstrating consent

Data controllers should be able to provide individual evidence of users’ consent, and evidence that their consent mechanism allows the gath- ering of valid consent.

The CNIL’s recommendation suggests the following solutions:

  • taking screenshots of the mechanism displayed for collecting consent as it appears on the relevant website or application;
  • keeping in escrow with a third-party depositary the computer code used by the controller for collecting users’ consent; and
  • carrying out regular audits of the consent mechanisms imple- mented on the sites or apps where consent is sought.

In our view, the more economical and resource-effective solution is for the PII owners to take a screenshot of the visual aspect of the consent mecha- nism in place for each version of the website or application and to keep a copy on file, rather than opting for the escrow or audit approach, which would be costlier. However, PII owners will also need to keep a record of the consent received, consequently, audits are likely unavoidable in practice.

The recommendations were open to public consultation until 25 February 2020. The final version of the recommendations will be adopted and published at a date, at this stage, undetermined. The CNIL will carry out inspections to enforce the recommendations after a period of six months following the adoption of the recommendations.

Electronic communications marketing

Sending unsolicited marketing messages is prohibited without the prior consent of the recipient. Such consent of the data subject cannot derive from a pre-ticked box or a general acceptance of terms and conditions.

Under the following conditions, the prior consent of the data subject is not required to address unsolicited marketing messages:

  • when the information of the data subject has been collected on the occasion of a purchase following the applicable data protec- tion rules;
  • the marketing messages concern products or services similar to those purchased by the data subject; and
  • the data subject is provided with an easy way to opt-out of receiving marketing messages when the data is collected and with each marketing message.

In a business-to-business relationship, the prior consent of the recipient is not required provided that:

  • the recipient has been informed that his or her email address would be used to address marketing messages;
  • the recipient can oppose the use of his or her email address for the purpose of direct marketing at the time of its collection and with each message; and
  • the marketing messages must be concerning the recipient’s profession.

Direct marketing by regular mail or telephone is not subject to the prior consent of the recipient, but the recipient can object to it by signing up to an opt-out list. In France, this list is called Bloctel, which is the govern- mental opt-out list for telephone marketing.

Cloud services

There is no specific provision applicable to cloud computing in the Law on Computer Technology and Freedom of 6 January 1978 or the GDPR. The CNIL issued guidelines addressed to companies contemplating subscription to cloud computing services on 25 June 2012. These guidelines contain seven recommendations by the CNIL that should be considered by data controllers when assessing the opportunity to migrate to cloud services, as well as a template clause to be inserted into agreements with cloud computing services providers.

The recommendations are to:

  • establish a precise mapping of the data and processing that will be migrating to the cloud and the related risks;
  • define technical and legal security requirements adapted to the categories of data and processing;
  • carry out a risk analysis to identify the security measures to be implemented to preserve the essential interests of the company;
  • identify the type of cloud services and data hosting appropriate concerning all data processing;
  • select cloud service providers that provide adequate security and confidentiality guarantees;
  • review and adapt the internal security policies of the company; and
  • carry out regular assessments of the cloud services.