French published cookie use guidances

On December 16, 2013, the French Data Protection Authority (“CNIL”) published a set of FAQs to provide further guidance on how to obtain consent for the use of cookies and similar technologies.

Overall

  1. Consent must be obtained each time these technologies are used for a new purpose and should be renewed within 13 months.Madeleine
  2. Consent mechanism should be programmed for cookies to expire 13 months after they are placed on a user’s device.
  3. Consent is only valid if users have a real choice between accepting or refusing cookies and similar technologies.

The CNIL also suggests a layered approach

  1. A banner should appear on the home page or any other pages visited by the user which specifies the specific purposes for which cookies are used, and which clarifies that by continuing to use the site, the user accepts cookies.
  2. There also needs to be a link to more detailed information on another page.  The banner must remain visible until the user interacts with the site.  The fact that the user leaves the site without rejecting cookies may not be interpreted as consent.
  3. When users click on the page, detailed information should be available via a Cookie Policy or similar policy, including information about how to accept or refuse cookies. The CNIL accepts the following methods:
    • consent mechanism directly available on the website or application;
    • a link to opt-out solutions offered by advertising networks, social networks, and website analytics solutions providers, provided these solutions are user-friendly and operational; and
    • provided all cookies used are HTTP and third party cookies, details on how to modify browser settings to accept or refuse cookies.

The guidance also confirms that only technologies strictly necessary for the provision of electronic communications and service expressly requested by the user are exempt from the consent requirement, including session ID cookies, user authentication cookies, multimedia player cookies, or user interface customization cookies.  The only analytics solution that currently qualifies for the exemption is PIWIK.  Google Analytics and other widely-used commercial tools are not exempt and the require consent.  The guidance also refers to suggested language for the banner and for social sharing cookies.

See the CNIL website for more information (Google translated):  http://www.google.com/translate?hl=en&ie=UTF8&sl=auto&tl=en&u=http%3A%2F%2Fwww.cnil.fr%2Fvos-obligations%2Fsites-web-cookies-et-autres-traceurs%2F

Original in French: http://www.cnil.fr/vos-obligations/sites-web-cookies-et-autres-traceurs/

Thanks to the Email Sender and Provider Coalition (ESPC) for sending out this information to it’s membership. Come join us and get this sort of regular updates on changing legislation and policies.

-Dennis

photo by: dqqd

Leave a Reply

Your email address will not be published. Required fields are marked *