What regulations for cookies and trackers?

by | Apr 15, 2021 | Digital & Data

WHAT ARE COOKIES AND TRACKS?

Tracers are operations for reading and/or writing information in the terminal equipment of a subscriber or user of electronic communications services. There are many tracers, the best known being the connection witness or cookie.

A cookie is a small file stored in a user’s terminal (computer, smartphone, video game console, etc.) at the request of the server managing the web domain visited and with which the cookie is associated. They can be deposited and/or read when consulting a website, a mobile application, installing or using software. Cookies and tracers have an expiry date (the end of navigation on the site concerned or a later date).

PURPOSE OF COOKIES AND PTRACERS

Tracers are used to optimize and analyze the browsing experience of  users:

  • Some are installed to analyze the movements and habits of consultation or consumption of Internet users, in particular in order to offer them personalized services.
  • Some target the behavior of Internet users for advertising purposes by offering them targeted advertisements or for audience measurement purposes.
The applicable legal framework

The current regulations on cookies and tracers are mainly based on :

  • the Data Protection Act
  • Directive 2002/58/EC of July 12, 2002, known as the “Directive on privacy and electronic communications “, as amended in 2009.

The CNIL adopted new guidelines and a recommendation on the use of cookies on September 17, 2020, applicable from April1, 2021.

The regulations stipulate the following principle: prior consent must be obtained from the user before storing information on their terminal or accessing information already stored on it. This consent corresponds to that provided for by the GDPR. It must therefore be free, specific, informed, unambiguous and easily revocable(on this point, refer to the RGPD sheet).

However, some trackers do not require user consent.

Who is affected by these regulations ?
  • Publishers of websites or mobile applications who deposit tracers subject to consent are considered to be data controllers.
  • Third parties who deposit tracers or cookies on a publisher’s website are considered to be jointly responsible for processing.
  • In general, any organization depositing and/or using tracers
Tracer categories
  • Trackers exempt from prior consent
    • Cookies whose sole purpose is to enable or facilitate electronic communication
    • OR being strictly necessary for the provision of an online communication service at the express request of the user

Example : tracers intended to store the contents of a shopping cart on an e-commerce, those allowing authentication with a service, tracers for customizing the user interface (for the choice of language or the presentation of a service), or certain audience measurement tracers aimed at generating performance statistics.

  • Tracers requiring prior consent

All tracers whose sole purpose is not to enable or facilitate electronic communication or which are not strictly necessary for the provision of an online communication service at the express request of the user require the prior consent of the Internet user.

These include cookies enabling personalized advertising or content sharing on social networks.

In the absence of consent  (in the event of user refusal or closure of the consent form), these tracers cannot be deposited and/or read on his terminal.

Merely continuing to browse a site is no longer considered a valid expression of user consent.

How to comply 
  • Obtain valid consent:
    • Inform the user of the existence of tracers and their purposes at the time of making a choice. Users must also be able to consult the (up-to-date) list of data controllers. This information must be visible, complete, clear and understandable.
    • Set up a means of obtaining consent prior to the deposit and reading of tracers. As long as the person has not given their consent, cookies cannot be placed or read on their terminal. 
    • Enable consent to be obtained by means of a clear and simple positive act: users must be able to accept or refuse trackers with the same degree of simplicity. This can go through checkboxes, which would be unchecked by default.
    • The CNIL recommends that the choice expressed by users be recorded so as not to solicit them again for a certain period of time.
    • Allow the user to make a choice by purpose : it is preferable to collect consent independently and specifically for each purpose. Obtaining consent is necessary each time a new purpose is added to the purposes initially planned. It is however possible to offer the user to consent in a global manner if all the purposes are presented beforehand, for example, by ticking boxes “accept all” or “refuse all”.
    • Make it easy to withdraw consent at any time :Users must be able to withdraw their consent at any time. The means of withdrawal must be as simple and accessible as those used to obtain consent (e.g. : a hypertext link in the footer).
  • Proof of consent

Organizations using trackers and data controllers must be able to prove this consent.

The CNIL suggests various ways to obtain proof of consent :

  • sequestration with a third party of the computer code used by the organization obtaining the consent, for the different versions of its site or its mobile application
  • by the time-stamped publication on a public platform of a condensate (or ” hash “) of this code to be able to prove its authenticity a posteriori ;
  • a screenshot of the visual rendering displayed on a mobile or fixed terminal can be kept, in a timestamped manner, for each version of the site or application;
  • regular audits of the consent collection mechanisms implemented by the sites or applications from which it is collected may be implemented by third parties mandated for this purpose.

WHAT ARE THE RISKS 

 Penalties may be imposed by the CNIL in the event of non-compliance with these obligations, constituting an invasion of privacy and an infringement of data protection :

  • Control measures
  • Formal notices from the CNIL
  • Injunction under penalty
  • Fines : maximum 4% of worldwide sales or €20 million