The French CNIL (La Commission nationale de l’informatique et des libertés) has long been Europe’s frontrunner when it comes to cookie compliance. In December 2013 the CNIL has published a guide to what it considers cookie compliance to look like

Now the beginning of October 2014 marks the start of automated compliance checks. The CNIL will start with looking at sites for compliance with their December 2013 recommendations. In particular this is what French site owners need to take a closer look at:

  • cookies are not placed or run before the user could express agreement;
  • the arrangements for obtaining consent by the user;
  • visibility, quality and simplicity of information about cookies;
  • the ability for the user to withdraw consent at any time;
  • the lifetime of cookies and validity of consent (which shall not exceed 13 months).

The loi Informatique et Libertés

The use of cookies normally requires the user’s consent. In France this is a rule under the Data Protection Act (loi Informatique et Libertés, article 32-II de la loi du 6 janvier 1978 modifiée par l’ordonnance du 24 août 2011). Those requirements have their roots in European directives, called 2002/58/CE and 2009/136/CE.

The requirement can be reduced to this main statement:

It’s necessary to inform users of the presence, purpose, the shelf life of the cookies placed in their browsers, and the means at their disposal to oppose it.

It’s a general requirement for anyone that publishes on the web, via a site or application. 

What are the CNIL’s recommendations?

The CNIL therefore adopted a recommendation which proposes to set up a 2-step procedure mandatory since February 2014.

First Step for cookie compliance in France

The visited site must have a banner informing the user that further navigation of the site constitutes an agreement for the installation and reading of cookies. This banner must specify the purpose of the cookies used and about the possibility to object (via a link to a dedicated page of the site). This banner does not disappear until the user has not continued elsewhere (another page or item on the site).

Second Step for cookie compliance in France

The user needs to be informed of the possibilities to accept or refuse all or some of the cookies in a simple and readable way.

To make these recommendations more accessible the CNIL has set up a page with code examples and frequently asked questions that are helpful in understanding the scope of the requirements:

The consent for the cookie’s setting cannot exceed 13 months.

Which are the cookies that are exempt from the consent rule?

As is the case in other European countries, France has exempted certain cookies from the cookie consent rule. Those are the cookies strictly necessary to offer the service sought after by the user. Examples for such cookies are:

  • the shopping cart cookie;
  • session cookies or persistant cookies for a couple of hours of duration in certain circumstances;
  • authentication cookies;
  • session cookies created by a multimedia reader;
  • load balancer cookies;
  • certain first party analytics (PIWIK);
  • persistant cookies for inteface personalization.

This is it. It’s going to be interesting how the whole cookie disclosure pans out in Europe. Btw. the CNIL has also announced that it is about to take part in another “Cookie Sweep Day” during the week of the 15th September. So stay tuned about another round of results regarding the use of cookies on the European web.

Use iubenda’s cookie disclosure tool

We've released a Magento 2 Module for the Cookie SolutionAustralian Privacy Law Reform 2014 in EffectCookie Solution and New IAB Framework Integration

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now