The guidance provides clarification on the following areas:
- The definition of “cookie” broadly includes other technology related to cookies, such as Flash cookies and local storage web.
- Users’ consent to cookies must be specific. The setting of most browsers can, according to the CNIL, be changed so that the consent of the user will be demanded for each cookie. However, in the CNIL’s view, this solution raises a number of problems. As such, browsers in the current state do not meet the requirements of the Ordinance in obtaining user consent.
- No consent is needed for cookies that are used for the sole purpose of enabling or facilitating communication, such as session cookies, cookies related to language preferences, Flash cookies necessary for a media player to operate, cookies that contribute to the security of the user, or cookies used to remember a shopping basket.
- Third-Party cookies – it is the website operator’s responsibility when the site allows a third party to place a cookies on a user’s computer.
Website operators are liable for an administrative fine of up to EUR 300,000 for any breach of the new rules, and there is the possibility of criminal sanctions. Most importantly, the information and consent requirement applies regardless of whether cookies contain personal data or not.
The CNIL stated that methods for collecting user consent can take many forms (which are not exhaustive); for example, (i) a banner just like the one used on the webpage of the UK data protection regulator (ICO); (ii) an area of application for consent, or; (iii) tick boxes when registering for an online service.
Businesses with online operations are recommended to conduct an assessment of the nature of each cookie, how intrusive they are, decide if consent is needed, and think about how users could be provided with detailed information about the cookies. This is important because if a complaint is made against a website operator, the CNIL will review what the website operator has done to ensure compliance.