What are the new CNIL’ guidelines on cookies and tracking technologies?
What is changing and how to comply?
You must obtain valid consent from your users before placing non-essential cookies on their device.
Merely continuing to browse your site is not a valid expression of user consent. Indeed, people must consent to the deposit of cookies or other similar technologies by a positive act (eg clicking on “accept” in a cookie banner). As a result, cookies that are not essential for the operation of the service can only be placed once consent has been obtained.
It is also mandatory that your users be able to withdraw their consent at any time. They should also be able to refuse all cookies as easily as accept them. Therefore a “decline” button should be placed at the same level as an “I agree” button on your consent banner.
You must clearly inform people of the purpose of each cookie before they can give their consent. Also, the consequences of refusing and accepting cookies must be clearly explained. It is also mandatory to list the identity of all actors using cookies subject to user consent.
The organisations operating the cookies must be able to provide at any time proof of the valid collection of the free, informed, specific and unambiguous consent of the user.
Here is our list of Dos and Don’ts of a compliant cookie consent.
What is the deadline to comply ?
The CNIL estimates that the deadline for compliance with the new rules should not exceed six months, i.e. at the end of March 2021 at the latest.
The CNIL invites all the actors concerned to ensure that their practices comply with the requirements of the GDPR and the ePrivacy directive.
For more information, please consult the CNIL website.