Cookies according to the CNIL

Authors: Marine Vanhoucke, partner, Michela Navarra and Anais Martine

Since the entry into force of the General Data Protection Regulation in 2018, the CNIL seemed rather lenient in imposing sanctions on companies that do not respect the right to the protection of personal data. But in recent months, this approach seems clearly abandoned: there has been a marked increase in fines, as illustrated by those imposed on GAFA for non-compliance with the provisions relating to user tracers generally called “cookies”.

Thus Microsoft was ordered to pay 60 million euros due to " the lack of a mechanism in place that makes it as easy to refuse cookies as to accept them”. Apple Lossless Audio CODEC (ALAC), was fined 8 million euros because the consent of French iPhone users had not been obtained before transcribing their identifiers used for advertising purposes on the group's terminals. Tiktok was fined 5 million euros because " users of the site could not refuse cookies as easily as accept them and they were not informed in a sufficiently precise way of the objectives of the different cookies”. Finally, the company Voodoo was recently sentenced to pay a fine of 3 million euros for having " trace from users without their prior consent. Indeed, the publisher of mobile video games used the technical identifier of iPhone users to track their activity and send them personalized advertisements, when they had clearly indicated that they did not wish to be tracked by the use of these tracers.

The CNIL therefore now ensures that the user is able to understand the use made of tracers and that it is, in any case, subject to prior consent. According to the recommendations of the CNIL, information and consent relating to the use of cookies must be collected in the following manner :

• Before being able to freely consent, the user must be informed by a brief title of the purposes and consequences of accepting or refusing cookies. He must also be informed of the identity of the actors using these tracers;
• The user must be able to consent to cookies by a clear positive act: for example clicking on " I accept ";
• Each purpose must be indicated by a short title presenting a brief description;
• The user must be able to make a choice by purpose, for example if all the purposes are exposed beforehand, it is possible to provide a choice between "accept all" or "reject all";
• The exhaustive and up-to-date list of data controllers must be made available to the user when obtaining consent: (eg: hypertext link, drop-down banner accessible from the consent interface); 
• The user must be able to withdraw their consent easily and at any time;
• The user must be able to refuse cookies as easily as to accept them;
• Organizations using tracers must be able to provide, at any time, proof of valid collection of the user's free, informed, specific and unequivocal consent.

The CNIL has also given details concerning the retention period of said tracers. This is in principle 6 months for cookies subject to consent, except for statistical cookies exempt from consent for which a maximum retention period of 13 months is possible. With regard to the retention of personal data collected via these cookies, the recommended maximum duration is 24 months for data collected via statistical cookies, but no details are given for other cookies. The retention period will be determined according to the purposes of the latter.

In addition, the CNIL recommends:

• Provide that the consent collection interface not only includes an "accept all" button but also a "refuse all" button;
• Provide that not only the consents but also the refusals are kept so as not to question users again during their subsequent visits;
• Collect consent on each of the sites concerned, when cookies allow monitoring on sites other than the site visited, so that the Internet user is aware of the scope of his consent.

While many sites have already carried out compliance work concerning the processing of personal data and the management of cookies, recalcitrant sites must quickly comply with the requirements in this area under pain of substantial penalties.