To understand what a cookie is exactly, you may refer to this article.
Article 5(3) of Directive 2002/58/EC, amended in 2009, transposed into French law by Article 82 of the Data Protection Act, establishes the principle of prior consent of the user before storing information on his or her terminal or accessing information already stored on it, unless these actions are strictly necessary for the provision of an online communication service expressly requested by the user or are exclusively intended to enable or facilitate communication by electronic means.
More simply, this means that it is mandatory to obtain the consent of the Internet user before storing information on his or her terminal or accessing information already stored. However, in the event that cookies are essential to the provision of an online communication service expressly requested by the user or are exclusively intended to facilitate a communication by electronic means, consent is not required.
The CNIL recalls that the consent provided for by these provisions refers to the definition and conditions provided for in Articles 4(11) and 7 of the GDPR. It must therefore be free, specific, informed and unambiguous. Moreover, the user must be able to withdraw it, at any time, with the same simplicity as he granted it.
On September 17, 2020, the CNIL adopted guidelines to recall the applicable law and to clarify it. To be followed by a recommendation in 2021.
How to collect a valid consent?
The CNIL specifies that a valid consent must be manifested by a positive action of the person previously informed, prior to the deposit and reading of cookies. Thus, the person must be fully aware of the consequences of his choice and have the ability to accept, refuse and withdraw his consent. It must therefore be free, unambiguous and informed.
Thus, the company must put in place the appropriate practical modalities but also share the information in a clear and intelligible way to allow Internet users to fully exercise this right.
It is to note that revoking the consent must be as easy as giving it for the user. In octobre 2020, the regulator had specified in October that it wanted the « Refuse All » button on the consent form to be as easy to access as the « Accept All » button.
How to prove that consent has been obtained?
The company must implement all the measures to collect a valid consent, it is up to the company to bring the proof in case of control by the CNIL.
To do so, it can :
-Take and keep a screenshot of the visual rendering of the cookies banner displayed on a mobile or fixed terminal for each version of the site or application, taking care to time-stamp them sequester a condensed or « hashed » version of the code used with a third party of the computer code used to collect consent.
-Mandate competent third parties to carry out regular audits in order to take stock of the mechanisms used to collect consent.
-Keep information related to the tools and their successive configurations in both its information system and that of the publisher of these solutions.
How long to keep the collected data?
The cookies themselves must be kept for a period not exceeding thirteen months, as recommended by the CNIL. As for the collected data, their retention period should not exceed 25 months. Moreover, it is essential to review these lifetimes and retention periods to ensure that they are limited to what is strictly necessary.
Companies must be very careful in the way they handle their cookies, specially since the CNIL is keeping a close eye on how the consent is collected. Indeed, it is determined to force websites to comply with the legislation on cookies. To do so, it does not hold back on sanctioning companies. Recently, more than 60 have been called to order concerning the button to revoke consent that was too difficult to find for the user. Sanctions may go up to 2% of the sales turnover. It is not something to take lightly, specially since the CNIL is currently doing an inspection campaign.
