GDPR and Web Cookies
By Roxana Barica
The cookies, a bitter-sweet side of GDPR
More and more data protection authorities are concerned about the topic of cookies and other web trackers. The French authority (Commission Nationale de l’Informatique et des Libertés or CNIL) adopted extensive draft guidelines on July 4, 2019 following a public consultation. While a final draft of the guidelines is yet to be published, the document provide clear and helpful insights on how to lawfully obtain consent for cookies and other web trackers:
Collection of consent must observe the following characteristics:
- informed – more specific, controllers should present the purpose of the trackers and should identify all those responsible for the processing;
- free – the website used should be offered the possibility to choose between two buttons presented at the same level and in the same format, with for example the words “I ACCEPT” and “I REFUSE”. Web site user should also be offered the possibility not to make a choice;
- specific – for each individual purpose;
- unambiguous: to be detailed in such a clear manner that the website user to be aware of the goal and scope of the action enabling them to accept or refuse.
Withdrawal of consent should be available at any time – the CNIL recalled that it must be as simple to withdraw consent as it is to give consent;
Duration of consent:
- in respect of the duration, CNIL recommends that consent should be renewed at appropriate intervals without waiting for the user to withdraw consent. The length of time during which consent remains valid will depend on the context, the scope of the initial consent and the expectations of the internet user. In general, the CNIL considers that a period of validity of six months from the expression of the website internet’s choice is appropriate.
Proof of consent:
CNIL recommends the implementation of the following mechanism:
- the recording of the information allowing the consent to be properly taken into account could be done at the level of the consent collection mechanism, i.e. the tracker in case of a web browser, or the parameter used to store the consent information in case of a mobile app., etc.
- the data thus recorded could include a timestamp of the consent, the context in which the consent was collected (identification of the website or mobile app.), the type of consent collection mechanism that has been used, and the purposes to which the user has consented.
Please note that not all types of cookies need consent (for example consent is not required for cookies inherently linked to the functionality of the website).
The above represents a reasonable yardstick of
reference when structuring your website and careful consideration must be given
as the sanctions applicable are significant.
 French version of the document may be accessed from the following link: https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038783337