'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

On 18 March 2021, the French data protection authority CNIL released Questions and Answers to aid organizations to comply with its amended guidelines on the use of cookies and similar tracking technologies. Organizations have time till 1st of April, after which the CNIL will be empowered to take enforcement actions against organizations failing to comply with its requirements on cookies.

Let’s look into some key points highlighted by the CNIL in its recently released Questions & Answers.

  1. Simple navigation of the user or relying on browser settings of the user does not constitute valid consent to the use of cookies or other similar tracking technologies.
  2. Trackers used for audience measurement are exempt from obtaining user’s consent, provided they are strictly necessary for the provision of the service requested by the user, are used only to produce anonymous statistical data, do not allow the tracking of the navigation of the user, and do not allow the data to be cross-checked with other processing or for the data to be transmitted to third parties.
  3. Website publishers must always inform users about the use of all cookies including cookies for which user’s consent is not required.
  4. Website publishers are recommended to retain user’s choices for a period of six months, to not ask them to consent again and again and from page to page. This recommended retention period may vary depending on the nature of the website and the specificities of its audience.
  5. It is essential to obtain the user’s consent to allow third parties, via social network buttons, to place or read trackers on the user’s terminal equipment.
  6. Users must be informed of the identity of data controllers (including joint data controllers), any third-parties with whom their data is intended to be shared, the purposes of the use of cookies, the possibility of withdrawing consent at any time, and consequences of accepting and refusing the use of cookies. All of this information must be complete, visible and presented in a manner that is not misleading for users.
  7. Each purpose of cookies must be highlighted in a short title on the cookie banner, accompanied by its brief description. Details of the purposes of the use of cookies may be made available to the user under a drop-down button or a hypertext link, taking the user to the second information layer where a detailed description of purposes is available.
cnil faq 1

Figure 1- The detail of the purposes is available under a drop-down button that the user can activate on the first level of information

cnil faq 2

Figure 2 - Details of the purposes are available by clicking on a hypertext link on the first level of information

8. The CNIL emphasizes that it must be as easy to withdraw consent as it is to give it. This requires organizations to ensure the following:

        • Users have easy access to manage their cookie preferences via a link bearing a descriptive name such as “manage my cookies” at any time.
        • Alternatively, users have access to a configuration module that is accessible on all pages of the website by means of a static cookie icon, located for example at the bottom left of the screen.
        • “Accept all” and “Reject all” buttons are on the same information layer of the cookie consent banner.
        • “Accept all” and “Reject all” buttons are of the same size, shape, and color to not mislead users.
cnil faq 3

Figure 3 - The possibility of consenting in a granular manner can be offered on a second level of information via a button "customize my choices" inserted on the same level of information (first level) as the buttons allowing to "accept all" and to “refuse everything”.

9. The use of cookie-walls is not completely prohibited. However, their lawfulness must be assessed on a case-by-case basis.

Organizations must take immediate steps to comply with the afore-mentioned CNIL’s requirements. Securiti’s Cookie Consent Management Solution can help you build a CNIL compliant cookie consent banner, captures users’ consent, and automates revocation fulfillment.

Scan your website and maintain GDPR/CCPA/LGPD compliant cookie consent - FREE

Provide a simple and secure way for your visitors to exercise their right to opt out of the sale of their information to advertisers.

Ask for a DEMO today to understand how Securiti can help you comply with the CNIL’s cookie consent requirements with ease.

Share this

Our Videos

View More

China’s PIPL

China has drafted its new data protection law, Personal Information Protection Law (PIPL) that will strengthen the regulatory framework for privacy and data protection in China.

Learn More
View More

South Africa’s POPIA Explained

The video gives an overview of South Africa's Protection of Personal Information Act (POPIA).

Learn More
privacy policy and notice management View More

Dynamic Privacy Policies & Notices

Automatically Update & Refresh Your Policies and Notices

Learn More
View More

Universal Consent & Preference Management

Simplify and automate universal consent management

Learn More
View More

Cookie Consent Management

Automate and manage the entire consent life cycle with efficiency for various cookie compliance regulations around the world.

Learn More
View More

Sensitive Data Intelligence

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Learn More