Introduction
In this technologically advanced world, users switch between electronic devices, from smartphones and personal laptops to TVs and tablets. On every device, they are repeatedly shown cookie banners, which can be frustrating. At the same time, it creates compliance challenges for organizations as it requires an extra effort to keep the consent records updated. To address this issue, the French data protection authority (CNIL) has published guidance on how to collect multi-device consent in a manner that is both user-friendly and compliant with the applicable laws.
Scope of the Guidance
The guidance applies to a situation where users are authenticated and logged into their accounts. Multi-device consent is a mechanism that allows a user’s consent choices to be applied across all devices, such as laptops, desktop computers, smartphones, and tablets, connected to their account. Multi-device consent facilitates the user, as the consent choices are no longer linked to a device or terminal but to the user's account associated with a website or a mobile application. When a user expresses their choice on a device connected to their account, it is automatically applied to the other devices. The user can manage the choices associated with their account regardless of the device used.
Conditions for the Implementation of Cross-Device Consent
CNIL highlights that the cross-device consent can only be lawfully implemented when the following conditions are met:
1. Transparency
To ensure transparency in the user choices, CNIL has recommended two conditions. First, if consent can be given at once using one account for multiple devices, the same must be applicable for refusal or withdrawal of consent. Secondly, the user must be informed of the scope of the consent before being able to exercise their choice so that they are informed. The information must notably specify that the choices will be applied for all devices on which the user is logged in with the same account.
The CNIL recommends providing information that is transparent, clear, and timely. It advises organizations to inform users about the multi-device consent mechanism at the first layer of the consent interface, through a consent management platform (CMP). When a user logs in on a device that was not previously linked to their account, information about the existing choices and the possibility to modify them should be made available through a temporary information banner. This banner should inform the user that the consent choices associated with their account have been saved or modified.
3. Managing Contradicting Consent Choices
Let us imagine a scenario in which a user makes a new consent choice on a device while logged out, having previously provided a consent choice while logged in. In such a case, what happens if there is a contradiction between these choices? Which choice would prevail, the most recent one or the one associated with the user’s account?
The CNIL guidance suggests a solution to this issue by providing the following two options:
- Either the most recent choice may prevail over the previous one, or
- The choices associated with the authenticated account may prevail over those made while the user was logged out.
Regardless of the approach adopted, the CNIL recommends that organizations clearly explain how such contradictions are resolved, so that users can understand which choices will ultimately be applicable.
CNIL’s Recommended Approach: The CNIL encourages organizations to develop a uniform method to facilitate users’ understanding of the multi-device consent mechanism, regardless of the mobile application or website visited. Once a user logs into the account, they must be informed of any contradiction between the choices made while being logged out and those made while being logged in, along with the means to modify the consent choices.
Furthermore, the unauthenticated logged-out consent choices should not prevail over the authenticated account-level settings. This distinction is particularly important in the case of devices shared by several family members. The individual choices associated with one account should not impact all users of the shared device when they are not authenticated to that account.
4. Data Minimization
In accordance with the GDPR’s principle of data minimization, the CNIL prevents organizations from sharing personal data, including a user’s account identifier, with service providers who might be involved in data processing, such as CMPs. It recommends systematically substituting a technical identifier to enable the reconciliation of a user’s different devices.
5. Evolution Towards a Multi-Device Consent Mechanism
When the collection of consent results in a multi-device consent mechanism for a website or mobile application, organizations must obtain a new free, specific, informed, and unambiguous consent. Indeed, consent expressed on a given device before the transition to a multi-device consent management cannot be considered valid for other devices, as the user has not been informed of the multi-device scope of the expressed consent.
Best Practice for Multi-Device Consent
As a good practice, the CNIL encourages organizations to allow the user to manage their consent choices device by device basis through the preference center. It will help them differentiate their uses and the management of their personal data based on the contexts in which they access the service and, therefore, the devices they use.
Conclusion
In today’s evolving digital world, users are increasingly concerned about their consent choices. The CNIL guidance effectively addresses the issues arising from contradictory consent choices across different devices. Organizations should be clear about their multi-device consent mechanism and inform users about it. A best practice is to give users control over their consent choices across devices so that they can adjust them according to their use. By following these best practices, users can exercise full control over their consent preferences, while organizations gain clear guidance to ensure compliance.
