The CNIL issued a draft recommendation to strengthen the hand of users in giving consent to placing cookies or other tracers on their devices.
Background: In July 2019, the French Data Protection Authority (CNIL) published guidelines on the application of Article 82 in the French Data Protection Act. These provisions regulate access to information on a user’s device through the use of cookies or other trackers. When they are not necessary for the provision of a service, these trackers can only be deployed with the consent of the user. In parallel, the CNIL worked to draft a recommendation for procedures to adopt when companies obtain such consent from end users. To this end, an initial consultation ran during Q4 2019.
The CNIL seeks to strengthen user consent: The CNIL has now issued a draft version of the recommendation, which will not be legally binding but will aim to formulate practical suggestions on how to implement the requirements of the law. For example, the purpose of a tracer must be shown before the user decides whether to give consent to it, and the recommendations include visuals to suggest how this information should be displayed on a screen. If consent is denied, users’ choice should be registered in such a way that consent is not asked again for a certain period of time. Companies should also refrain from misleading consumers to make them think that consent is necessary to continue using a website or service. Consent should also be granular, in that a user should be able to give consent for specific purposes if applicable, or to specific data controllers. Similarly, users should be given clear ways to withdraw their consent at any time.
Next steps: The draft recommendation is now subject to public consultation until 25 February 2020. Based on the responses, the CNIL will then amend the draft and adopt it at one of the next plenary sessions.