French DPA Issues Guidance for Cookie Disclosures: Specific Consents Required for Specific Cookie Functions

FILTER
November 9, 2011
Brenda Leong
About Brenda
Blogs by Brenda

In 2009, a French ordinance was put in place pursuant to the EU e-Privacy Directive (2009/136/EC), requiring online businesses and other websites to obtain prior user consent for the placement of cookies on users’ computers.   The prior consent issue has been a contentious one in Europe recently, with the Article 29 Working Party rejecting proposals from the IAB for streamlining the consent process.  On November 2, the CNIL (the French DPA) published a Guidance which spells out what it means to obtain prior consent for cookies under French law.  The CNIL observed that while web browser setting could be one way to obtain consent for the various uses of cookies, browsers have not yet evolved to provide sufficient granularity of choice.  Therefore, the CNIL has said that consent must be specific – must refer to specific processing for a defined purpose.

Notably, the CNIL Guidance says:

  • “Cookies” include such flash cookies, other locally shared objects, and document object models and other web storage areas.
  • Cookies that have purely technical functions such as shopping basket cookies or local languages do not need specific consent.
  • A browser setting accepting all cookies without specifying their purpose is not valid prior consent.
  • Banners at the top of web pages may be used to obtain consent as well as consent forms superimposed on the site, or boxes that can be checked during sign-up to use a site.
  • Pop ups to obtain consent are discouraged since they often are blocked.
  • Changes to take-it-or-leave-it terms of use are not adequate for obtaining consent for each kind of cookie, since users might grudgingly accept the terms of use in order to use the site, but still object to certain cookie functions and not have a way of expressing the objection.
  • Site owners are responsible for third-party cookies including those from behavioral advertising entities.
  • If consent is given for a third-party advertiser’s cookie, there is no obligation for the advertiser to get consent if the user goes to a different site that displays the same advertising.
  • Cookies that keep track of users’ choices are permissible without consent.

Violation of the French law on cookie consent can result in a fine of €300,000 but apparently the CNIL is willing to give some websites time to implement the requirements of the law as interpreted by the Guidance.

The Guidance is available here.

 

Published: Last Updated: August 31, 2020

Explore

Issues

authors

dates

Posts by Brenda

Spectrum of AI Publication
The Spectrum of AI: Companion to the FPF AI Infographic
READ MORE
post image
Now, On the Internet, EVERYONE Knows You’re a Dog
READ MORE
AI Out Loud Event Image
5 Highlights from FPF’s “AI Out Loud” Expert Panel
READ MORE
View More