French Authority CNIL Releases Cookie Compliance Guidance

France’s data protection authority, CNIL has recently released guidance for complying with the French implementation of the cookie law.

This new guidance goes into much more detail than has previously been available, and also more detail than the UK’s ICO, so it is worth taking a look at what they have to say, and the potential implications both for France and the UK if a similar approach becomes adopted here.

No Consent Required

There are a range of different types of cookies that will not require user consent in France.  These include shopping basket cookies, security cookies, session IDs, personal prefernce cookies (e.g. language preference), and flash cookies for media player functionality.

This is quite a broad spectrum but it does all seem in line with the ‘strictly necessary’ aspect of the EU Directive.

In the UK only shopping basket cookies have been explicitly mentioned by the ICO as falling in this category, although this does not mean they might make a similar interpretation of these other cookie types.  However, their own site currently describes a Session ID cookie as ‘essential’ rather than ‘strictly necessary’.

If the ICO were to adopt the CNIL appraoch to these types of cookies – it could simplify things for a lot of website owners, as these cookies are often controlled directly by the underlying technology of a website, and are very difficult to remove, yet their impact from a privacy point of view is minimal, as they are destroyed by the user closing their browser.

The ICO has indicated that they will be updating their guidance in the next few weeks – so maybe we shall get some further clarification at that point.

Cross Domain Consent

There is a real potential bonus for advertisers in the French system.  This is because it allows for consent for third party cookies given on one website to apply to any other website that might use the same cookie.

Advertising networks might as a result seek to obtain consent from users directly and this appears on the surface to make life easier for the website operator.

However, as the operator is likely to have their own cookies anyway – it could actually make for a difficult user experience because they might visit a site and then be confronted with several consent mechanisms taking over their pages. 

If poorly implemented this could result in exactly the sort of damaging user experience that many people have feared from the beginning.  However, if there was a more joined up approach that enabled users to control cross-domain consent in a simple way – there would be significant benefits for everyone.

Browser Settings Not good Enough

It looks like CNIL have come to the same conclusions that we did in a previous post.  The browser based approach that the UK government is looking to pursue is not in their opinion going to work on its own.

It is not simply that browsers do not provide good enough user controls – this is something that could be overcome relatively easily.

As we have pointed out before – there is no current way that browsers can communicate user preferences to a website in order to ensure that preference is honoured. And neither is there a way for a website to communicate cookie information to the browser so that a user can make an informed choice. 

Regardless of these technical issues, the fact remains that where the website owner has the liability, they must also take responsibilty for ensuring the law is met.  It would be a huge leap of faith to ask a global browser manufacturer – that has no liability under the law and therfore nothing to lose, to be responsible for ensuring you compliance with a local law.

No company could surely afford to take that kind of risk.

Obtaining Consent

The CNIL guidance includes a number of examples of how consent may be obtained,  and we are glad to see that our general model is one that has been endorsed.

However, there is a twist to this.  Websites will need to go further than offering an opportunity for consent, by also offering an option to refuse consent and have that refusal recorded for future visits. This requires both a ‘multiple choice’ option to be presented and a cookie to record the choice.  This approach suggests that simply ignoring a consent request message as you browse cannot be considered a good enough indication of a user’s wishes.

For those that are interested in finding out more, there is an article on the IAPP website by Gabriel Voisin of leading law firm Bird & Bird.