The French privacy regulator CNIL has released guidance on how to comply with the European Union’s General Data Protection Regulation (GDPR) when using cookies and other web tracking technologies that are an integral part of most companies' public-facing websites.
The rules serve as a guide for any company that does business in Europe and controls or processes the personal data of EU individuals.
Here are some key takeways:
- Any processing involving a tracker that collects personal data, whether directly identifiable such as an e-mail address, or indirectly identifiable such as the unique identifier of a cookie, must be done in compliance with the provisions of the GDPR. Other forms of indirectly identifiable data include an IP address, the identifier of a terminal or a component of a user’s terminal, the result of the footprint calculation in the case of a “fingerprinting” technique or an identifier generated by a software or operating system.
- Trackers requiring consent can’t be used for writing or reading data until the user has demonstrated his consent in a free, specific, enlightened and unequivocal way by a declaration or via a clear, positive act.
- Consent can only be valid if the person concerned is truly able to exercise choice and does not suffer major inconveniences in the event of the absence or withdrawal of consent.
- Per the European Data Protection Supervisor (EDPS): blocking access to a website or mobile application for those who do not agree to be tracked, known as a “cookie wall,” does not comply with GDPR.
- Continuing to browse a website, use a mobile application or scroll through the page of a website or mobile application are not clear positive actions tantamount to valid consent.
- The use of pre-ticked boxes, as well as the acceptance of general conditions of use, can’t be considered as a clear positive act to give consent.
- It must be as easy to refuse or withdraw consent as it is to give it.
- Browser settings do not, in the current state of the art, allow users to express valid consent. This is partly because they do not distinguish between cookies according to their purposes, which means that the user is also not able to consent specifically for each purpose.
- Browser settings may evolve to incorporate mechanisms to collect consent consistent with the GDPR.
- Information describing trackers must be written in terms that are simple and comprehensible for all, and must allow users to be fully informed of the different purposes of the tracers used. The use of overly complex legal or technical terminology is insufficient.
- Information must be complete, visible and highlighted. This means that information necessary for informed decision-making about consent cannot be contained in general terms and conditions
- For consent to be informed, users must be able to identify all entities using trackers before they can consent. Thus, an exhaustive and regularly updated list of these entities must be displayed to the user directly when collecting his consent.
- Organizations must implement mechanisms to demonstrate, at any time, that they have validly obtained the consent of users.
- Where organizations do not themselves collect individuals’ consent, this obligation cannot be fulfilled by the mere presence of a contractual clause committing another organization to obtain valid consent for the account of the other party.
In order for analytics cookies to enjoy the exception from the need for consent:
- They must be implemented by the publisher of the site or by a subcontractor.
- Individual visitors must be informed prior to their implementation.
- Individuals must be able to block the cookie by means of an opposition mechanism that can easily be used on all terminals, operating systems, applications and web browsers. No read or write operation shall take place on the terminal from which the person objected.
- The purpose of the analytics cookie must be limited to:
- measuring the audience of the viewed content in order to allow evaluation of the published content and the ergonomics of the site or the application
- segmentation of the audience of the cohort website to evaluate the effectiveness of editorial choices, without this leading to targeting a single person
- dynamic modification of a site in a global way
- The personal data collected must not be cross-checked with other processing (customer files or attendance statistics of other sites, for example) nor transmitted to third parties.
- The use of such trackers must be strictly confined to the production of anonymous statistics. Their scope should be limited to a single site editor.
- The use of an IP address to geotag the user must not provide any location information more specific than the city. The IP address collected must also be deleted or anonymized once geolocation is completed.
- Such trackers’ lifespans cannot exceed thirteen months. This duration must not be extended automatically during new visits. The information collected through the trackers can be kept for up to 25 months, maximum.
Strictly Necessary Cookies
- Users must be informed of the existence and purpose of strictly necessary cookies — cookies that are essential to allow users to navigate a website and use its features.
Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues, including data sharing, contact Odia at [email protected] or 215.444.7313.