- Consent must be obtained each time these technologies are used for a new purpose and should be renewed within 13 months.
- Consent mechanism should be programmed for cookies to expire 13 months after they are placed on a user’s device.
- Consent is only valid if users have a real choice between accepting or refusing cookies and similar technologies.
The CNIL also suggests a layered approach
- A banner should appear on the home page or any other pages visited by the user which specifies the specific purposes for which cookies are used, and which clarifies that by continuing to use the site, the user accepts cookies.
- There also needs to be a link to more detailed information on another page. The banner must remain visible until the user interacts with the site. The fact that the user leaves the site without rejecting cookies may not be interpreted as consent.
- consent mechanism directly available on the website or application;
- a link to opt-out solutions offered by advertising networks, social networks, and website analytics solutions providers, provided these solutions are user-friendly and operational; and
The guidance also confirms that only technologies strictly necessary for the provision of electronic communications and service expressly requested by the user are exempt from the consent requirement, including session ID cookies, user authentication cookies, multimedia player cookies, or user interface customization cookies. The only analytics solution that currently qualifies for the exemption is PIWIK. Google Analytics and other widely-used commercial tools are not exempt and the require consent. The guidance also refers to suggested language for the banner and for social sharing cookies.
See the CNIL website for more information (Google translated): http://www.google.com/translate?hl=en&ie=UTF8&sl=auto&tl=en&u=http%3A%2F%2Fwww.cnil.fr%2Fvos-obligations%2Fsites-web-cookies-et-autres-traceurs%2F
Original in French: http://www.cnil.fr/vos-obligations/sites-web-cookies-et-autres-traceurs/