It’s nearly le denouement pour le cookie consentement en France.
The Commission nationale de l'informatique et des libertés (the CNIL), France’s data protection authority, is on the cusp of finalizing its updated consent guidelines for cookies and other trackers – and the stakes are high.
“The question is not whether consent is applicable – of course it is – the question is: Will France be more strict about consent than elsewhere in Europe by giving data subjects the right to object along with every consent request?" said Etienne Drouard, a partner at Hogan Lovells, who’s also representing nine French trade organizations before the French Supreme Court in ongoing litigation against the CNIL’s recommendations.
One objective of the litigation – the final hearing is scheduled for mid-March – is to point out that some of the CNIL’s recommendations for collecting user consent go beyond what’s called for under the General Data Protection Regulation and the ePrivacy Directive.
Comments on the draft guidelines were due last week, and the final recs could be ready as soon as late March or early April. Enforcement would begin six months after a vote by the CNIL on the final recs.
The purpose of updating the guidelines, which hadn’t been revised since 2013, is to bring them in line with GDPR and give businesses clarity on how to properly gather consent. Until the recs are final, publishers and tech companies are still allowed to rely on scrolling or swiping as a form of consent gathering. After that, implied consent will be no longer be acceptable.
While cookies are already on their way out, the CNIL’s recommendations would apply to any identifier that reads, writes or stores information to a consumer’s device, including the IDFA and the Android advertising ID, said Thomas Adhumeau, general counsel at French mobile ad company S4M. The CNIL also doesn’t make a distinction between first-party cookies and third.
Although most types of identifiers fall into the tracker category, a few exceptions do exist. Authentication and session cookies don’t require consent and can be stored for up to 24 months.
CNIL vs. GDPR
Some of the CNIL’s draft recommendations are in line with GDPR, including doing away with tacit consent and requiring that consent be specific to the purpose.
But there are also additional requirements that some consider to be an overinterpretation of the law, and these have the potential to alter the user journey and dramatically reduce the volume of data that companies are able to obtain, said Drouard, who himself spent almost three years as a lawyer at the CNIL in the late ‘90s before moving into private practice.
One example is the need to provide perfect symmetry in the choices being offered to consumers, a notion that doesn’t exist under GDPR, said Adrien Thil, chief privacy officer at Paris-based ad server Smart. The CNIL’s suggested best practice is that if there’s an “Accept all” button, there also needs to be a “Refuse all” button of equal size and color right next to it.
Drouard knows that his case against the CNIL is unlikely to succeed nearly by default. The Supreme Court in France almost always sides with independent regulators in order to dissuade reflexive litigation. And so there was nothing to lose, Drouard said.
If the CNIL wins, the recommendations will be codified, but at the very least, the ad industry is getting additional clarity on the CNIL's stance from the defense it's required to make before the court.
If his case is successful, however, the CNIL would have to redo its guidelines based on the conclusions of the court and the CNIL would be prohibited in the future from interpreting GDPR and ePrivacy in the same as they did in their guidelines.
But regardless of what happens with the CNIL’s cookie and tracker recommendations, there are potentially bigger changes afoot: ePrivacy.
After years of back and forth with no resolution, the Presidency of the Council of the European Union published a revised version of the proposed ePrivacy regulation in late February.
Previous drafts of the ePrivacy regulation did not include legitimate interest as a legal basis for processing non-sensitive personal information, including cookies, without consent – but this draft of ePrivacy does. If passed, this would align ePrivacy with the GDPR, which is something many people in the privacy profession weren’t sure if they’d actually live to see.
A committee within the council is set to discuss the changes at two separate meetings, one on March 5 and another on March 12.
“If the council buys into this on March 12, the ePrivacy regulation will agree with the rationales and balances set out under GDPR – which would mean no more need for a debate about this in France, as the EU regulation would define the law, not a local regulator," Drouard said. “We’re at a moment where anything is possible on the regulatory front and on the political front.”
The CNIL responded to a request for comment but isn’t yet ready to talk publicly about the guidelines.