These FAQs are intended to provide information about France’s updated cookie law guidance — including how this French guidance relates to EU legislation, what it means for your business, and the consequences of non-compliance.
What are France’s cookie law guidelines? How do they relate to the GDPR and the ePrivacy Directive (the “Cookie Law”)?
The ePrivacy Directive and the GDPR are the main EU legislation governing the use of cookies and similar tracking technologies. The ePrivacy Directive came into force in 2002, but has since been amended (most recently in 2009). The GDPR went into effect in 2018. While the GDPR is a regulation, meaning it has binding legal force throughout every EU member state, the ePrivacy Directive does not have that same comprehensive authority. Directives lay down certain results that must be achieved (i.e., a set of rules), but each EU member state is free to decide how to transpose directives into national laws to ensure compliance with those rules. That means all EU member states have their own cookie laws — but those laws can vary to an extent so long as they meet the core elements set out in the ePrivacy Directive.
France transposed the ePrivacy Directive into Article 82 of the French law “Informatique et Libertés” (i.e., “France’s cookie law”). The French Data Protection Authority (the “CNIL”) is responsible for enforcing that law.
In 2013, CNIL adopted guidelines that instructed on the practical implementation of France’s cookie law (“Guidelines”). Shortly after the GDPR, CNIL updated guidelines and issued recommendations to align with the requirements under this new EU law. In 2020, these guidelines and recommendations were updated again. Upon adoption of these updated guidelines and recommendations in October 2020, CNIL announced a transition period until the end of March 2021. During this period CNIL will not enforce any new obligations regarding cookies resulting from the newest versions of the guidelines and recommendations (i.e., “CNIL’s guidance”).
I have a website that serves (or might serve) cookies to individuals in France — what do I need to do to make sure I am compliant by this deadline?
If your business serves cookies to individuals in France, you should already have implemented cookie consent practices that satisfy previous versions of CNIL’s guidance.
Following March 31, 2021, you must now make sure your cookie consent practices satisfy any new obligations regarding cookie consent management resulting from the newest version of CNIL’s guidance. Specifically, you must ensure your users:
can decline to give consent as easily as they give it, and withdraw their consent as easily as they gave it (i.e., using a “reject all” style button and making it easy for your users to find where they can adjust their preferences whenever they want to do so);
consent to each individual purpose for which your business is using cookies; and
are informed of the identity of the entities depositing cookies (i.e., the list containing the identity of the entities must be made available to them at the time consent is obtained and must be regularly updated — a good practice is to “re-collect” consent every six months).
Additionally, you must be able to demonstrate that you have obtained valid consent to CNIL if they ask.
Previous versions of CNIL guidance established that relying on pre-ticked boxes, “bundled” consent (consent for several processing purposes at once), or a user scrolling or navigating through a website does not meet the GDPR standard for consent and cannot be construed as valid consent as required under France’s cookie law. The latest CNIL guidance clarifies that you cannot rely on a user’s cookie configuration settings from a web browser as a sufficient way to obtain valid user consent.
What happens if I am not compliant by the deadline?
Unlike the GDPR, ePrivacy directive, and France’s cookie law, guidance and recommendations from a data protection authority like CNIL are considered “soft law” and are not binding. However, the CNIL guidance explains how they will determine if a business is violating France’s cookie law (i.e., how they will enforce France’s cookie law). That means if your business’ cookie practices fail to satisfy the requirements laid out in CNIL’s guidance, you are likely violating France’s cookie law and may be subject to enforcement action.
After March 31, 2021, CNIL will begin enforcing France’s cookie law in the context of these new obligations and requirements resulting from the guidelines and recommendations. Because the CNIL guidance is written with GDPR in mind, if you are violating France’s cookie law, you may also be violating the GDPR.