22 March 2021
Website operators offering services to people in the EU must comply with EU law. The relevant laws are the ePrivacy Directive and the General Data Protection Regulation (GDPR). These laws make it clear that the use of non-essential cookies requires opt-in consent.
But many, if not most, websites remain non-compliant with EU cookie rules. Many cookie consent banners don't offer people a real choice about cookies. Many websites track users without even trying to obtain consent.
France's Data Protection Authority, known as the CNIL, has finally started getting tough on cookie compliance. The CNIL has released guidance on how to comply with EU cookie laws, and it has set a deadline by which it expects websites to become fully compliant.
This article will help you understand the basics of EU cookie laws, and take an in-depth look at the CNIL's guidance to help you understand what you need to do to get in-line with the French regulator's requirements.
The CNIL's cookie compliance crackdown results from many years of guidance from the European Data Protection Board (EDPB) and case-law before the Court of Justice of the European Union (CJEU).
For example, 2019's "Planet49" case confirmed that website operators may not use pre-ticked boxes for cookie consent. And the EDPB's May 2020 cookie guidance made clear that "cookie walls" are not valid under the GDPR.
The CNIL's new guidance arrived in October 2020, but it was already investigating cookie violations at this time.
In January 2021, the French regulator imposed large fines on two tech giants who "placed advertising cookies on users' computers...without obtaining prior consent and without providing adequate information":
The CNIL's message couldn't be clearer: If your website is accessible in France, and you're subject to the GDPR, you must ensure your cookie consent mechanism is legally compliant.
The CNIL's guidance isn't legally binding in itself. So, technically, it's not mandatory. But following the law is mandatory, and the CNIL's guidance is a good reflection of the law.
The CNIL's guidance reflects the position of the European Data Protection Board (EDPB) and the Court of Justice of the European Union (CJEU). Following the guidance is a good way to ensure you're legally compliant.
No, not all cookies require consent under EU law. The ePrivacy Directive specifies that two types of cookies are exempt from its consent requirements:
In short, cookies don't require consent if they are strictly necessary to:
Examples of such cookies include load-balancing cookies, cookies used to remember shopping cart contents and media playback positions, and user-interface customization cookies.
However, cookies used for advertising and analytics (which we're broadly calling "tracking cookies") always require consent under EU law.
No, the CNIL's guidance is simply a means of telling companies that are already covered by the GDPR and the ePrivacy Directive that it's time to start complying with these laws.
Whether or not your company has any presence in the EU, you're covered by the GDPR if you are:
The EDPB has confirmed that using tracking cookies for purposes like behavioral advertising can constitute "monitoring the behavior of people in the EU."
Also, note that even if the CNIL is not your lead supervisory authority, it can still take action regarding your compliance with EU law. Above, we looked at France's tough enforcement action against Google (whose lead supervisory authority is Ireland) and Amazon (Luxembourg).
Therefore, if your website is accessible in the EU, and you're using tracking cookies, you should be aiming to comply with the CNIL's guidance before the implementation deadline.
The CNIL is giving website operators until the end of March 2021 to get fully compliant with the GDPR and the ePrivacy Directive. Some sort of enforcement crackdown is likely to occur after this date, so make sure to get your house in order as soon as possible.
The CNIL's guidance sets out six "main principles" on cookies, which can be characterized as:
Let's take a closer look at each of these principles and what they mean for your website.
The CNIL states that you cannot assume you have a person's consent because they:
Here's an example of such a cookie banner, from Twitter:
Under the CNIL's guidelines, this cookie banner does not represent a legally-compliant way of obtaining consent.
Instead, make sure your cookie consent notice is adequate and legally compliant.
The CNIL states that consent is only valid if you obtain it via a clear, affirmative action. This opt-in requirement is "Consent 101" under the GDPR: it's actually part of the definition of "consent," at Article 4 (11) of the GDPR:
This requirement means you can only obtain valid cookie consent when a person clicks a button saying "Accept," or similar. When it comes to cookies, there's really no other way to get valid consent.
Once you've got a person's consent for cookies, you need to make it easy for them to withdraw their consent.
Article 7 (3) of the GDPR actually states that it must be "as easy to withdraw as to give consent":
You could achieve this by placing an unobtrusive "slider" that persists across each page of your website, allowing people to opt in and out of cookies.
Here's an example from the Post Office:
Note that the Post Office provides a cookie consent dashboard, accessible via the "Change Preferences" link. It's important to include an option such as this, and not to rely on users manually changing their cookie preferences via their browser.
Here's how the Post Office's cookie consent dashboard looks:
The Post Office offers a "granular" approach to cookie consent, allowing people to opt in or out of "functional" and "performance" cookies. This approach complies with the GDPR's requirement that consent must be "specific."
This unbiased presentation is a very important feature of valid cookie consent. Many websites require users to wade through several screens of cookie consent options and individually opt out of tracking with scores of third parties.
Techradar presents a variety of purposes for which users can opt out of cookies, but these are all switched to "ON" by default. It's possible to "AGREE TO ALL," but not to "REFUSE ALL."
Let's click on the "Personalized ads and content" section:
You get the idea. Accepting consent is easy: just click "AGREE." Refusing consent is an ordeal.
Here's an example of how it should be done, from law firm K&L Gates:
K&L Gates provides the options to "Reject Cookies" or "Accept All Cookies" with equal prominence. Importantly, both options are presented in the same color. Using a brighter color for "Accept" than you use for "Reject" can be a so-called "dark pattern" that manipulates user behavior.
The GDPR requires consent to be "informed." In the context of cookies, this means when requesting cookie consent you'll need to provide both:
The CNIL specifies that you must include the following information before obtaining cookie consent:
It might be a challenge to fit this all on a cookie banner. There's a balance to be struck between providing comprehensive information and providing information that doesn't overwhelm people.
Here's an approach from Digital Catapult:
Digital Catapult presents people with information about its purposes for collecting their personal information alongside information about the types of personal data it collects. As an aside, this cookie banner is also a great example of how to offer equally-weighted "accept" and "reject" options.
Finally, the CNIL, and the GDPR itself, require that you keep a record of any consent you have obtained for cookies. The way you achieve this will depend on your method for obtaining cookie consent.
The deadline for implementing the CNIL's cookie consent guidance is March 31st, 2021. Make sure your website is fully GDPR and ePrivacy Directive-compliant by this date, and bear the CNIL's six principles in mind: