The CNIL reinforces its guidelines on the use of cookies... But SFBX had already thought of everything (or almost)!

The CNIL reinforces its guidelines on the use of cookies...
But SFBX had already thought of everything (or almost)!

The 1stst October 2020, the CNIL published its amending guidelines and a final version of its recommendations on the use of cookies and other trackers.

As part of its action plan on ad targeting, on September 17, 2020, the French data protection authority has :

- Amended the guidelines of July 4, 2019 recalling the law applicable with GDPR, following the Conseil d'Etat decision of June 19, ²⁰²⁰¹.

- – Established a recommendation that acts as a practical guide to inform those who use cookies and other tracers about the practicalities of obtaining the Internet user's consent2.

What does this mean for you, SFBX customers?

Absolutely nothing, our solutions already comply with all these measures!

Indeed, the new CNIL guidelines are merely a strict interpretation of GDPR. The new measures aimed at protecting and respecting the consent of Internet users have been part of our DNA and our concerns since the creation of SFBX. Most of the principles reinforced by the CNIL have already been integrated into our AppConsent products.

Applicable by March 31, 2021 at the latest, the CNIL guidelines and recommendations will have to be implemented on all digital media (web, mobile applications, connected TV, connected vehicle, IOT, etc.).

¹https://www.cnil.fr/sites/default/files/atoms/files/lignes_directrices_de_la_cnil_sur_les_cookies_et_autres_traceurs.pdf

²https://www.cnil.fr/sites/default/files/atoms/files/recommandation-cookies-et-autres-traceurs.pdf

But what are these new guidelines, which recommendations will have to be incorporated by 31 March 2021, and how do we apply them in our products?

We explain it all to you!

First of all, let's specify that all technologies having the effect of reading or writing data in the user's terminal are concerned, namely :

cookies,
tracking pixels,
the "web beacon",
flash cookies,
HTML 5 storage,
local storage,
the IndexedDB,
IDFA,
fingerprinting,
etc.

Cookies are not the only ones affected, far from it. This applies to all trackers.

When we talk about cookies in the rest of this article, we mean both cookies and other trackers.

The expression of consent

1 - Refusing cookies should be as easy as accepting them

The CNIL considers that the data controller must provide the Internet user with the possibility of accepting or refusing the use of cookies with the same degree of simplicity.

Thus, the "reject" button must be present on the same screen as the "accept" button, in the same format and at the same level:

Source: CNIL

With AppConsent, you already have the option of adding the "opt-out" button to your consent notice, with the same modalities as the "opt-in" button, so that the Internet user can make an informed choice.

To create your notice with all the buttons recommended by the CNIL, consult our documentation.

Source : AppConsent

2 – No pre-checking of consent boxes by purpose

When the Internet user chooses to fine-tune his or her consent by means of the boxes for collecting consent by purpose in the notice, these boxes must be unchecked by default so that his or her decision is not influenced.

With AppConsent, no box is pre-checked on the notice, they are all at the neutral point so that the choice of the Internet user is free and explicit:

Source : AppConsent

3 - Consent is expressed by a positive and clear act of the Internet user

The CNIL noted that the action of scrolling through a web platform or continuing its use is not considered a clear act of the Internet user and cannot in any case constitute consent to the processing of his or her data.

To provide valid consent that meets the conditions set by GDPR, the Internet user must, for example, click on "Accept".

With AppConsent, your users can already have explicit access to the "accept all" or "reject all" button.

Source : AppConsent

You can also add a "Continue without accepting" button by checking the little "use a button to pass" box.

Source : AppConsent

4 - Retention of consent

The committee suggests that websites, which generally retain consent to trackers for a certain period of time, should also retain users' refusals for a certain period of time, so as not to re-interrogate the user on each visit. In this case, the period of validity of the consent chosen by the controller must take into account the context, the scope of the initial consent and the expectations of the users. The Commission considers that, in general, it is good practice for publishers to keep these choices (both consent and refusal) for a period of six months.

With AppConsent, both positive and negative consents are kept. Thanks to our first party listener, the CMP remembers the user's choices and only asks for them at the end of the holding period, or when changing scopes or versions.

You can choose to force this by choosing via the back office to ask for consent more frequently, while being aware of the consent fatigue caused by this practice, your consent rate may be revised downwards.

In addition, to ensure that the user is fully aware of the scope of his consent, the CNIL recommends that, when tracking devices are used on sites other than the one visited, consent should be obtained on each of the sites concerned by this tracking.

5 - The cookie wall

A cookie wall is a device by which the publisher of a website or a mobile application conditions access to the content of its pages on the fact that the visitor expresses his consent to the placing of a cookie on his computer and its use for advertising purposes. This means blocking access to a website or mobile application for users who do not give their consent.

The implementation of a "cookie wall" is likely, in certain cases and under certain conditions, to infringe the freedom of consent. Thus its legality will be assessed on a case-by-case basis by the CNIL. The information provided to the user must clearly indicate the consequences of his or her choices and in particular the impossibility of accessing the content or service in the absence of consent.

Source : AppConsent

Regarding AppConsent, our UX teams are currently working on the subject. Do not hesitate to contact our support team to make an appointment so that we can consider, on a case by case basis according to your needs, the form and wording that your cookie wall should take if you want to set one up.

Informing people

1 - Users should be able to withdraw their consent easily and at any time

The CNIL reminds that withdrawing consent must be as easy as giving it. The solutions allowing the user to withdraw his consent must be easily accessible on the web platform, and at any time of the navigation.

If the platform chooses to insert a link to its platform, it is recommended to use a clear name for it, such as "cookie management module or or "manage my cookies".

It is also possible to use a cookie icon, at the bottom left of the web platform pages, redirecting to the consent management platform.

Source: CNIL

With AppConsent, when the user gives their consent, the last page of the notice shows them where they can change it. A link in the footer of the website can be installed via the back office, when the user clicks on it, the notice with his previously saved choices will be displayed. A privacy center with a logo is also made available to the editor to put in the footer of his site so that the user can quickly identify where he can simply modify his choices. The user will also be able to permanently find the list of partners and their purposes.

Source : AppConsent

2 - Users must be informed of the purposes of the cookies, the consequences of accepting or refusing them and the identity of all partners using cookies before giving their consent

According to the 1978 French Data Protection Act and the 2018 GDPR , users must be able to access clear, detailed information on what their consent entails and the options available to them.

The purposes of the various data processors must be presented to users before they have the opportunity to accept or refuse. They must be formulated in a clear and intelligible manner and in a language that is adapted to enable all users to understand precisely what they are consenting to.

Source: CNIL

With AppConsent, all the purposes (IAB TCF V2) of the trackers are explicitly detailed and explained on our notice and the user can make choices by purpose.

Users must also be informed of the identity and personal data processing policy of all actors who may have access to their data and who may use tracking devices subject to consent.

With AppConsent, the list of partners of the data controller is present on the notice. This allows you to display all the partners as well as their purposes and the link to their privacy policy.

In our notice, in each of the purposes, it is also indicated the set of actors using it.

Source : AppConsent

3 - Data controllers must be able to provide proof of the user's consent

At any time, the user can ask the person in charge of the treatment of his personal data, a proof of the valid collection of his positive consent, but also negative as well as the modifications.

On AppConsent, with our blockchain, we can provide proof of consent with contextthat is, the time and day, the version of the notice that was used to collect the consent, and all the elements related to the modification of the consent (context).

Proof extraction is present via an API and on our back-office.

Source : AppConsent

Cookies and other tracers exempted from the collection of consent

There are several types of cookies, those necessary for the proper functioning of the web platform and those that allow the collection of personal information of Internet users for marketing purposes.

Also, according to the CNIL, some cookies are so-called "functional" and do not require consent to be used since they are mandatory for the web platform to be usable.

These tracers include:

Tracers retaining the choice expressed by users on the deposit of tracers ;
Tracers for authentication to a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;
Tracers intended to keep track of the contents of a shopping cart on a commercial site or to invoice the user for the product(s) and/or service(s) purchased;
user interface customization trackers (e.g., for the choice of language or presentation of a service), where such customization is an intrinsic and expected feature of the service;
tracers for load balancing of equipment involved in a communication service;
Tracers allowing paying sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period);
certain audience measurement tracers when they respect certain conditions. Google Analytics is not one of these trackers because it has a marketing purpose.

There are two exemptions to the requirement for prior consent for any read or write operation on a user's terminal:

the operation is strictly necessary to provide a service explicitly requested by the user
the transaction enables or facilitates the transmission of an electronic communication.

This exemption applies in particular to the following tracers:

those intended for authentication with a service,
those intended to keep track of the contents of a shopping cart on a commercial site,
some of them aiming at generating statistics of frequentation,
those allowing paying sites to limit free access to a sample of content requested by users.

A/B testing is not consent-free.

Let's focus on the audience measurement trackers, the webanalytics, because the latter has seen its scope of exemption reduced. Indeed, to be exempted, a webanalytics processing must only serve to provide anonymous statistics to the publisher. The data must not be used for other purposes or passed on to third parties3 ..

During different webinars, Mr Armand Heslot, head of the CNIL's technological expertise department, gave details on webanalytics:

if it is only used to provide a service that is strictly necessary for the proper functioning of the service requested by the user, such as measuring the performance of the site, which makes it possible to monitor the quality of videos, download time, navigation problems, monitoring bugs, measuring the audience to predict the load of the infra to provide the service, then it is exempt from consent.
if it allows to meet or help other purposes, then in this case obtaining consent is mandatory.

If web analytics is exempt from consent, it is still subject to GDPR, so users must be given the opportunity to exercise their right to object.

So is Google Analytics exempt? As the CNIL is well aware of the market's concerns about the management of GDPR for this tool used mainly by digital players, Mr Heslot was keen to make a precise point on the subject: Google Analytics is not exempt from consent, as audience measurement data is used for other purposes as indicated in the contract and the TOU for the service.

In order to dispel any doubt as to whether or not an audience measurement solution is exempt, the CNIL has launched an evaluation program to determine whether providers of audience measurement tools can offer their clients a solution that is exempt from the requirement to obtain consent4.

In conclusion, at SFBX the collection of user consent has always been at the heart of our concerns. With these new measures applicable on March 31, 2021, the emphasis is put on transparency in the relationship between data controllers and Internet users, and this is not to our displeasure, quite the contrary!

Don't hesitate to contact us if you have any questions about these new guidelines and recommendations, because one thing is certain: these new practices must become a not inconsiderable habit, because the penalties will be heavy and the CNIL, having given the market a long period in which to comply, will be less and less tolerant of non-compliance with GDPR !

^{3 https://www.cnil.fr/fr/cookies-solutions-pour-les-outils-de-mesure-daudience}

⁴ https://www.cnil.fr/fr/solutions-de-mesure-daudience-exemptees-de-consentement-la-cnil-lance-un-programme-devaluation