The National Commission for Computers and Liberties (CNIL) presented its draft recommendation on cookies on January 14, cookies that are used to store information about a user. This text should serve as a practical guide for site and application publishers to legally collect the consent of their users when these cookies are used to collect personal data. The president of the authority, Marie-Laure Denis, answered our questions.
What does this draft recommendation contain?
It aims to give users back control over the use of their data for advertising purposes. The CNIL insisted on several points: the continuation of navigation on a site is no longer worth consent and it must be as easy to refuse the deposit of a tracer as to consent.
This means that the user will no longer have a big green button offering to “Accept” and a small text in a corner to refuse?
There has to be symmetry between the two. In addition, users must be able to know the recipients of their data collected for advertising profiling purposes. There are texts in force which require the collection of free and informed consent but these recommendations are not generally implemented.
When will the CNIL apply these rules?
To develop this project, which is a practical guide to the procedures for obtaining consent, we conducted a consultation phase with marketing professionals and civil society. This text is now subject to consultation until February 25. Then, the CNIL college will adopt the final recommendation and we will allow public and private actors six months to adapt.
It is a year and a half after the implementation of the general data protection regulation (GDPR). Why not have it applied to cookies from the start?
On cookies, given the extent of this regulation which concerns almost all websites and applications in France, it was advisable not to punish actors immediately without them knowing precisely the recommendations of the regulator . This allows for faster compliance than sanctions, which would have taken longer to clarify the general framework. Then, an adaptation period was necessary to allow the actors to be part of a more readable legal framework and to give them legal certainty.
We were also awaiting the adoption of the ePrivacy regulation [la nouvelle version du règlement européen, qui va compléter le RGPD] which was to enter into force on the same date as the GDPR. The adaptation period relates only to a very specific subject: the new procedures for obtaining consent for tracers. All other provisions relating to cookies remain applicable and are already controlled by the CNIL.
Many say that these rules will have a negative impact on the online advertising industry…
The CNIL does not deny that the application of European law and national law is likely to have an impact on the economic model of certain actors. This is why we have favored a concerted and progressive method while remaining pragmatic. We have, for example, compiled a list of cookies exempt from consent.
The previous European framework on personal data already had provisions on cookies. Do these recommendations represent the last chance to regulate this sector?
Given the challenges in terms of protection of privacy and massive profiling, it is essential that the rules be clear for everyone and that the regulator enforce them. There is a complex and often opaque ecosystem for the user. Our regulation aims to give visibility and transparency to the circulation of this data collected for the purpose of advertising targeting.
What do you think of the efforts of major players – Apple with Safari, Google with Google Chrome, Mozilla – to limit the use of such files?
Will ePrivacy force you to rewrite your rules?
The draft ePrivacy regulation is a text that the CNIL calls for. It could also be an opportunity to address the issue of obtaining consent at the browser level. Today, it is the GAFAs that make the configuration choices and not the user. It is important to regulate this ecosystem by imposing uniform rules. Overnight, GAFA can change the settings of their browsers, which is not satisfactory either for users or for those who are very dependent on it.