This post was written by Daniel Kadar.
As set forth by the 24 August 2011 Ordinance, user consent is in principle required prior to the placement of cookies on an individual’s computer.
Until the revision of its guidance, the CNIL had mentioned a few exceptions to the obligation to obtain the user’s prior consent for the following cookies:
- Cookies utilized for carts on a merchant website
- SessionID cookies
- Cookies having the sole objective of contributing to the security of the IT service for the user
- Cookies allowing to identify the language spoken by the user (if applicable)
- Flash cookies containing elements that are necessary for the use of a media player if the user wants to have access to a content requiring such elements
In addition to this list, the CNIL has now, by reviewing its guidance, added statistics cookies to this list: the CNIL considers that website-going statistics are necessary to the business, and that such statistics should also allow to identify the popularity of the contents that are posted.
As a result, and given the "very limited risk on the protection of privacy", the CNIL decided that such statistics cookies should also be exempted from any prior consent.
Nevertheless, the CNIL outlined several conditions to this additional exemption:
- As with the other exempted cookies, the editor will need to inform the user of the placement of such cookies. The CNIL foresees that the website’s home page shall display a link allowing to get straight to such information that would be contained in the terms and conditions of use.
- The user shall be able to exercise his/her right of access…
- … As well as his/her right to oppose. Concerning this right, the tool that will deactivate the functionality should be easily accessible and easy to install on any device (including smart phones). Further, no information concerning the users having used this tool shall be transmitted to the tool's editor.
- The purpose of the system needs to be limited to statistics. No interconnection with other functionalities shall be possible. The generated statistics shall only be produced on an anonymous basis. These statistics shall not be used for different editors at the same time - i.e. only for one editor at once.
- The IP address shall not allow a geolocation that is more precise than allowing to identify the town of the user
- The retention period for cookies shall not be longer than six months
The CNIL added that its position is subject to the future position of the Working Party 29.
Moreover, the revised version of the guidance provides some clarification as to cookies that do not contain personal data: these are per se considered by the CNIL (and the Working Party 29) as subject to the regulation.
The CNIL finally provides additional guidance as to the procedure to be put in place in order to obtain the user’s consent.