Privacy & Information Security Law Blog

On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.

The CNIL’s Guidance indicates that this obligation applies to website publishers, operating system and application publishers, advertising networks, social networks and website analytics solutions providers.

The CNIL’s Guidance also states that only certain cookies are exempt from the consent requirement under French data protection law, namely cookies whose sole purpose is to enable or facilitate electronic communications or that are strictly necessary for the provision of an online communication service as expressly requested by the user. According to the CNIL’s Guidance, this includes:

• cookies used for a “shopping basket” on a merchant’s website;
• “Session ID” cookies for the duration of the session (or persistent cookies limited to a few hours in some cases);
• authentication cookies;
• multimedia player session cookies;
• load balancing session cookies; and
• persistent user interface customization cookies.

Some web analytics solutions also may qualify for an exemption from the consent requirement.

In all other cases, the CNIL’s Guidance emphasizes that:

• web users’ consent must be obtained before placing or reading cookies and similar technologies (such as web bugs and fingerprinting technologies), and such consent must be obtained each time these technologies are used for a new purpose;
• the validity of the consent is linked to the quality of the information provided to web users – in particular, web users must be clearly informed of the different purposes for which the cookies and similar technologies will be used; and
• web users’ consent is valid only if the users have a real choice between accepting or refusing cookies and similar technologies.

In practice, the CNIL recommends obtaining consent using a two-pronged approach, as described below.

Step 1: Provide Information to the Web User About the Cookies and Their Purposes 

According to the CNIL’s Guidance, a banner must appear on the home page or on a subpage of the website when a user visits it. The banner must specify:

• the exact purposes of the cookies used on the website; and
• the fact that, by continuing to use the website, the user accepts the use of cookies.

The banner must also include a link to another page (“For more information”) that explains how to change cookie settings and accept or refuse cookies. The CNIL’s Guidance includes a template banner and specifies that such a banner must remain until the user interacts with the website. If the user does not continue to use the website, this absence of action cannot be interpreted as the user’s consent to the use of cookies.

Step 2: The “More Information” Page

According to the CNIL’s Guidance, when a user clicks on the “For more information” link provided in the banner, the user must be directed to information about how to accept or refuse cookies. This may be presented as:

• a cookie consent mechanism directly available on the website or application;
• a link to opt-out solutions offered by advertising networks, social networks and website analytics solutions providers, (assuming that these solutions are user-friendly and functional); or
• under certain circumstances, details on how to modify browser settings to accept or refuse cookies.

Cookie Expiration

The CNIL’s Guidance recommends that a user’s cookie consent may be considered valid for up to 13 months. After this period, the website must get renewed consent from the user. The CNIL’s Guidance states that cookies should be programmed to expire 13 months after they are placed on a user’s device.