Website operators offering services to people in the EU must comply with EU law. The relevant laws are the ePrivacy Directive and the General Data Protection Regulation (GDPR). These laws make it clear that the use of non-essential cookies requires opt-in consent.

But many, if not most, websites remain non-compliant with EU cookie rules. Many cookie consent banners don't offer people a real choice about cookies. Many websites track users without even trying to obtain consent.

France's Data Protection Authority, known as the CNIL, has finally started getting tough on cookie compliance. The CNIL has released guidance on how to comply with EU cookie laws, and it has set a deadline by which it expects websites to become fully compliant.

This article will help you understand the basics of EU cookie laws, and take an in-depth look at the CNIL's guidance to help you understand what you need to do to get in-line with the French regulator's requirements.



Why Has the CNIL Released This Guidance?

The CNIL's cookie compliance crackdown results from many years of guidance from the European Data Protection Board (EDPB) and case-law before the Court of Justice of the European Union (CJEU).

For example, 2019's "Planet49" case confirmed that website operators may not use pre-ticked boxes for cookie consent. And the EDPB's May 2020 cookie guidance made clear that "cookie walls" are not valid under the GDPR.

The CNIL's new guidance arrived in October 2020, but it was already investigating cookie violations at this time.

In January 2021, the French regulator imposed large fines on two tech giants who "placed advertising cookies on users' computers...without obtaining prior consent and without providing adequate information":

  • Google received two penalties totaling €100 million ($121.3 million)
  • Amazon received a €35 million ($42.4 million) penalty

The CNIL's message couldn't be clearer: If your website is accessible in France, and you're subject to the GDPR, you must ensure your cookie consent mechanism is legally compliant.

Is Following the CNIL's Guidance Mandatory?

The CNIL's guidance isn't legally binding in itself. So, technically, it's not mandatory. But following the law is mandatory, and the CNIL's guidance is a good reflection of the law.

The CNIL's guidance reflects the position of the European Data Protection Board (EDPB) and the Court of Justice of the European Union (CJEU). Following the guidance is a good way to ensure you're legally compliant.

Do All Cookies Require Consent?

No, not all cookies require consent under EU law. The ePrivacy Directive specifies that two types of cookies are exempt from its consent requirements:

  • Cookies used "for the sole purpose of carrying out the transmission of a communication over an electronic communications network"
  • Cookies that are "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide the service"

In short, cookies don't require consent if they are strictly necessary to:

  • Enable your site to function
  • Provide a service requested by the user

Examples of such cookies include load-balancing cookies, cookies used to remember shopping cart contents and media playback positions, and user-interface customization cookies.

However, cookies used for advertising and analytics (which we're broadly calling "tracking cookies") always require consent under EU law.

Is This Only Relevant to French Companies?

No, the CNIL's guidance is simply a means of telling companies that are already covered by the GDPR and the ePrivacy Directive that it's time to start complying with these laws.

Whether or not your company has any presence in the EU, you're covered by the GDPR if you are:

  • Offering goods and services to people in the EU
  • Monitoring the behavior of people in the EU

The EDPB has confirmed that using tracking cookies for purposes like behavioral advertising can constitute "monitoring the behavior of people in the EU."

Also, note that even if the CNIL is not your lead supervisory authority, it can still take action regarding your compliance with EU law. Above, we looked at France's tough enforcement action against Google (whose lead supervisory authority is Ireland) and Amazon (Luxembourg).

Therefore, if your website is accessible in the EU, and you're using tracking cookies, you should be aiming to comply with the CNIL's guidance before the implementation deadline.

When is the Deadline for Compliance?

The CNIL is giving website operators until the end of March 2021 to get fully compliant with the GDPR and the ePrivacy Directive. Some sort of enforcement crackdown is likely to occur after this date, so make sure to get your house in order as soon as possible.

What Does the CNIL's Guidance Say?

What Does the CNIL's Guidance Say?

The CNIL's guidance sets out six "main principles" on cookies, which can be characterized as:

  1. Silence is not consent
  2. Consent requires a clear, affirmative action
  3. Consent must be easily withdrawable
  4. Make it equally easy to accept or refuse cookies
  5. Consent must be fully informed
  6. Keep a record of consent

Let's take a closer look at each of these principles and what they mean for your website.

The CNIL states that you cannot assume you have a person's consent because they:

  • Visit your website
  • Use your website or services
  • Click an "x" to close your cookie banner

This principle precludes cookie banners that make claims such as "by continuing to use this website, you consent to our use of cookies."

Here's an example of such a cookie banner, from Twitter:

Twitter cookie consent banner using browsewrap

Under the CNIL's guidelines, this cookie banner does not represent a legally-compliant way of obtaining consent.

Instead, make sure your cookie consent notice is adequate and legally compliant.

The CNIL states that consent is only valid if you obtain it via a clear, affirmative action. This opt-in requirement is "Consent 101" under the GDPR: it's actually part of the definition of "consent," at Article 4 (11) of the GDPR:

EUR-Lex GDPR: Article 4 - Definition of consent

This requirement means you can only obtain valid cookie consent when a person clicks a button saying "Accept," or similar. When it comes to cookies, there's really no other way to get valid consent.

Once you've got a person's consent for cookies, you need to make it easy for them to withdraw their consent.

Article 7 (3) of the GDPR actually states that it must be "as easy to withdraw as to give consent":

EUR-Lex GDPR: Article 7 Section 3 - The right to withdraw consent easily

You could achieve this by placing an unobtrusive "slider" that persists across each page of your website, allowing people to opt in and out of cookies.

Your Privacy Policy should also include information about how to withdraw consent for cookies.

Here's an example from the Post Office:

Post Office Cookie Policy: To Withdraw Consent for Cookies clause

Note that the Post Office provides a cookie consent dashboard, accessible via the "Change Preferences" link. It's important to include an option such as this, and not to rely on users manually changing their cookie preferences via their browser.

Here's how the Post Office's cookie consent dashboard looks:

Post Office cookie consent dashboard

The Post Office offers a "granular" approach to cookie consent, allowing people to opt in or out of "functional" and "performance" cookies. This approach complies with the GDPR's requirement that consent must be "specific."

Make it Equally Easy to Accept or Refuse Cookies

The CNIL's guidance states that you must make it as easy for people to accept cookies as it is for them to refuse cookies.

This unbiased presentation is a very important feature of valid cookie consent. Many websites require users to wade through several screens of cookie consent options and individually opt out of tracking with scores of third parties.

Here's an example of a cookie consent solution that makes it harder to refuse cookies than to accept cookies, from Techradar:

Techradar cookie consent notice

Techradar provides a button reading "AGREE"... but where's the button reading "REFUSE"..? Let's click "MORE OPTIONS" and see how easy it is to refuse cookies:

Techradar cookie consent notice: Options screen

Techradar presents a variety of purposes for which users can opt out of cookies, but these are all switched to "ON" by default. It's possible to "AGREE TO ALL," but not to "REFUSE ALL."

Let's click on the "Personalized ads and content" section:

Techradar cookie consent notice: Personalized ads options screen

You get the idea. Accepting consent is easy: just click "AGREE." Refusing consent is an ordeal.

Here's an example of how it should be done, from law firm K&L Gates:

K and L Gates cookie consent notice

K&L Gates provides the options to "Reject Cookies" or "Accept All Cookies" with equal prominence. Importantly, both options are presented in the same color. Using a brighter color for "Accept" than you use for "Reject" can be a so-called "dark pattern" that manipulates user behavior.

The GDPR requires consent to be "informed." In the context of cookies, this means when requesting cookie consent you'll need to provide both:

  • A short notice about your use of cookies, and
  • A link to your Cookies Policy or Privacy Policy

The CNIL specifies that you must include the following information before obtaining cookie consent:

  • The purposes of the cookies you use on your website
  • What consequences the person will face if they refuse consent
  • The identities of any third-party vendors using cookies on your site

It might be a challenge to fit this all on a cookie banner. There's a balance to be struck between providing comprehensive information and providing information that doesn't overwhelm people.

Here's an approach from Digital Catapult:

Digital Catapult cookie consent notice

Digital Catapult presents people with information about its purposes for collecting their personal information alongside information about the types of personal data it collects. As an aside, this cookie banner is also a great example of how to offer equally-weighted "accept" and "reject" options.

Keep a Record of Consent

Finally, the CNIL, and the GDPR itself, require that you keep a record of any consent you have obtained for cookies. The way you achieve this will depend on your method for obtaining cookie consent.

Summary

The deadline for implementing the CNIL's cookie consent guidance is March 31st, 2021. Make sure your website is fully GDPR and ePrivacy Directive-compliant by this date, and bear the CNIL's six principles in mind:

  1. Silence is not consent
  2. Consent requires a clear, affirmative action
  3. Consent must be easily withdrawable
  4. Make it equally easy to accept or refuse cookies
  5. Consent must be fully informed
  6. Keep a record of consent

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy