CNIL Cookie Compliance – A Thorough Update on the New Recommendations & Guidelines

We’re living in the age of hyper-personalization – times when even the highly classified financial sector has gone all out to embrace technology and cohort-targeting. The customer expectations also align. They want companies to provide tailored experiences, irrespective of their platform or the interface they use for interaction. However, creating such personalized experiences means companies have to collect, manage, and protect consumers’ data.

As far as data collection is concerned, collecting and storing cookies to optimize the browsing experience and retarget customers based on cohorts has been the most obvious choice. Companies have been accessing third-party cookies to collect information that improves the user experience and, at times to power interactions with users via chatbots and live chats. It is a gold mine for organizations looking to improve their customer experience! However, it also means accessing personal user data and storing and using it – in some cases (think before GDPR), even without proper consent. The result? Leaks, cyber thefts, security breaches – and the list goes on.

Thus, it is only apparent for privacy forums, governments, and consumers to be concerned about data security. Even Google plans on phasing out cookies in 2022. And we are witnessing new updates for Privacy Laws across the globe. One such recent example is the Cookie Compliance Update by CNIL.

In early October, CNIL – the French Data Protection Authority – introduced a revision in its guidelines on cookies and similar technologies. The update listed CNIL’s final recommendations on how moving forward, companies need to obtain users’ consent to store or read non-essential cookies and similar technologies on their devices.

What You Need to Know About CNIL Cookie Compliance

In July 2019, after the roll-out of EU GDPR, France published some guidelines about the rules applicable to the use of cookies and similar technologies. Along with the guidelines, they also introduced some Recommendations for businesses on implementing these rules. After a public consultation, France’s Highest Administrative Court decided to annul the provision of cookie walls that prevented users who did not consent to the use of cookies from accessing a site or mobile app. Based on this decision, CNIL decided to revise its Guidelines.

Understanding the CNIL’s Updated Cookie Compliance Guidelines and Recommendations

Here are some key takeaways from the updated CNIL cookie compliance –

1. Cookie Walls are a No-No: The European Data Protection Board (EDPB) discourages cookie walls, i.e., blocking user access to a website or app in the absence of consent to tracking cookies. According to the EDPB, cookie walls do not comply with GDPR, and organizations cannot consider browser settings (currently) as proof of consent to cookies.
   
2. Displaying Cookie Processing Information: According to the updated Guidelines, businesses must mention how they plan to use and process user cookies. The information should be visible and highlighted and must include the controller’s identity, right to withdraw the consent, purpose of reading/writing operations, and full disclosure of any other entities that may use the cookie data, i.e., if shared amongst several entities.
   
3. Soft Opt-Ins Come With Conditions Applied: The updated CNIL Guidelines give companies the option of deploying audience measuring trackers without user consent, based on soft opt-in. However, soft opt-ins must comply with some conditions like
   
   a. Only the website publisher or his subcontractor can implement soft opt-in
   
   b. Businesses must be informed in advance about the implementation of such
   measuring trackers
   
   c. It should be easy for users to opt-out across any devices/browsers
   
   d. The purpose of soft opt-in should be limited to –
   i. Audience measurement of the visualized content for evaluation of the published contents and the metrics of the site/app
   
   ii. Audience segmentation to evaluate the effectiveness of editorial choices, without this leading to targeting a single person
   
   iii. Dynamic modification of the site in a global way. The collected personal data must not be cross-referenced with other processed data (e.g., customer files or attendance statistics of other places) nor transmitted to third parties.
   
   e. Businesses should limit the scope to a single-site editor
   
   f. If companies use Geotagging for IP addresses, the accuracy should be no more than city-level. Upon completing geolocation, the businesses must also delete the collected IP address.
   
   g. The validity of trackers should be no more than 13 months, and there shouldn’t be any auto-extension during new visits. The retention period for information collected from trackers can be 25 months.
   
4. Proof of Consent: The organizations storing and using cookies and other trackers must provide evidence of valid collection free, informed, specific, and unambiguous consent of the user at any time.
   
   The updated CNIL Recommendations will apply to all the businesses in France and websites that target people in France. You can find a list of updated Recommendations in French here.

A Checklist to Implement the Updated CNIL Cookie Recommendations

Step 1: Install a banner on your app or website seeking consent to store/read a cookie(s)

Step 2: Don’t use cookie walls or at least avoid the use as much as possible

Step 3: Explicitly state on the banner what cookies you are collecting, how will you use them, who owns the website, and the fact that users can reject cookies if they like

Step 4: Preferably, add a link to your privacy policy on the banner

Step 5: Include a straightforward and easy to use ‘accept all’ and ‘reject all’ button (or the one-click option of some sort) on the consent banner

Step 6: Give the users a button/link where they have the option to consent to the use of each type of cookie

Step 7: Unless the user clicks the accept button, avoid pre-loading any cookies (except those strictly necessary). If the users reject the cookies, do not load any cookies.

Step 8: To collect anonymous statistical data, pre-load the analytics cookie before consent.

Step 9: Always give users the option to revoke the consent by calling back the banner

Step 10: Maintain a log of the user consent you capture via the banner

Be CNIL Compliant with Secuvy

Secuvy Privacy Risk Assessment Automation solution can help you become fully compliant and simplify compliance with the GDPR, LGPD, and many more laws and frameworks.

As a part of our strategic risk assessment, we evaluate the collection, use, sharing, and maintenance of personally identifiable information by an organization. The risk profile thus created offers a high-level view of any data threats the organization faces and helps your company become compliant with fundamental privacy laws

AboutSecuvy Inc

Secuvy's cloud based platform helps businesses automate Data Privacy, Security and Governance. Visit our website for more information: https://secuvy.ai/