CNIL’s guidance on cookies sets stricter consent requirements

Web publishers need to adapt their websites to France’s new rules. Ariane Mole and Juliette Terrioux of Bird & Bird explain.

On 4 July 2019, France’s Data Protection Authority (the “CNIL”) adopted new guidelines on cookies and similar technologies(1), which replaced the previous guidance published by the CNIL in 2013(2).

The major change concerns the means to obtain a valid consent from users. The consent of users can no longer result from their browsing on the website. Web publishers will now have to comply with stricter requirements for users’ consent.

These new guidelines also set other changes, the key elements of which are analysed below.

Legal framework for the use of cookies

Since 2009, the use of cookies and similar technologies (i.e. functions usually performed by a cookie which can be achieved by other means: Local Shared Objects(3), fingerprinting techniques, etc.) has been regulated at EU level by the e-Privacy Directive(4). The e-Privacy Directive provides that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user, requires the consent of the user after the user was provided with an appropriate information notice.

International Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.