CNIL Issues New Cookie Guidance: Au Revior ‘By Using This Website I Accept This Privacy Policy’

July 18, 2019Alerts

After long anticipation, French regulator CNIL has issued a new cookie guidance. Some key takeaways are below:

  • Any processing involving a tracer, collecting personal data, whether directly identifiable (e-mail address) or indirectly (e.g. , the unique identifier of a cookie, an IP address, an identifier of the terminal or a component of the user's terminal, the result of the footprint calculation in the case of a technique "fingerprinting" or an identifier generated by a software or operating system) — requires compliance with the provisions of the General Data Protection Regulation.


  • Trackers requiring consent cannot be used for writing or reading until the user has demonstrated his will in a free, specific, enlightened and unequivocal way by a declaration or a clear positive act.
  • Consent can only be valid if the person concerned is able to validly exercise his choice and does not suffer major inconveniences in the event of absence or withdrawal of consent.
  • Per the European Data Protection Supervisor: the practice of blocking access to a website or mobile application for those who do not agree to be tracked (cookie walls) does not comply with GDPR.
  • The general acceptance of general conditions of use cannot be a valid method of obtaining consent, insofar as it cannot be given separately for each purpose.
  • Continuing to browse a website, using a mobile application, or scrolling through the page of a website or mobile application are not clear positive actions tantamount to valid consent
  • The use of pre-ticked boxes, as well as the general acceptance of general conditions of use, cannot be considered as a clear positive act to give its consent.
  • It must be as easy to refuse or withdraw consent as it is to give it.
  • Browser settings cannot, in the state of the art, allow the user to express the manifestation of a valid consent.This is partly because they do not distinguish between cookies according to their purposes, which means that the user is also not able to consent specifically for each purpose.
  • Browser settings could evolve to incorporate mechanisms to collect consent consistent with the GDPR.


  • The information describing trackers must be written in simple and comprehensible terms for all, and must allow users to be fully informed of the different purposes of the tracers used. The use of overly complex legal or technical terminology is not sufficient.
  • The information must be complete, visible and highlighted. This means that all information necessary for informed decision-making about consent cannot be contained in general terms and conditions
  • In order for consent to be informed, the user must be able to identify all entities using trackers before they can consent. Thus, the exhaustive and regularly updated list of these entities must be displayed to the user directly when collecting his consent


  • Organizations must implement mechanisms to demonstrate, at any time, that they have validly obtained the consent of users.
  • Where the organizations do not themselves collect the consent of individuals, such an obligation cannot be fulfilled by the mere presence of a contractual clause committing one of the organizations to obtain valid consent for the account of the other party.

Analytics Cookies

In order for analytics cookies to enjoy the exception from the need for consent:

  • They must be implemented by the publisher of the site or by its subcontractor.
  • The person must be informed prior to their implementation.
  • It must be able to be opposed by means of an opposition mechanism that can easily be used on all terminals, operating systems, applications and web browsers. No read or write operation shall take place on the terminal from which the person objected.
  • The purpose of the device must be limited to:
    • measurement of the audience of the viewed content in order to allow the evaluation of the published content and the ergonomics of the site or the application
    • the segmentation of the audience of the cohort website to evaluate the effectiveness of editorial choices, without this leading to targeting a single person
    • the dynamic modification of a site in a global way.
  • The personal data collected must not be cross-checked with other processing (customer files or attendance statistics of other sites, for example) nor transmitted to third parties.
  • The use of such trackers must also be strictly confined to the production of anonymous statistics. Its scope should be limited to a single site editor.
  • The use of the IP address to geotag the user must not provide more accurate information than the city. The IP address collected must also be deleted or anonymized once the geolocation is done.
  • Such trackers must not have a lifespan exceeding thirteen months and this duration must not be extended automatically during new visits. The information collected through the trackers must be kept for a maximum of 25 months.

Strictly Necessary Cookies

  • Users must be informed of the existence and purpose even of strictly necessary cookies.

Read the full text of the CNIL guidance here.

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.

Further Reading:

EDPB Opinion Provides Guidance on Controller-Processor Agreements Under GDPR

French Privacy Regulator Releases Long-Awaited Rules for Use of Cookies

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

European Regulator Provides Guidance on Conducting Clinical Trials Under the GDPR