The French CNIL (La Commission nationale de l’informatique et des libertés) has long been Europe’s frontrunner when it comes to cookie compliance. In December 2013 the CNIL has published a guide to what it considers cookie compliance to look like.
Now the beginning of October 2014 marks the start of automated compliance checks. The CNIL will start with looking at sites for compliance with their December 2013 recommendations. In particular this is what French site owners need to take a closer look at:
- cookies are not placed or run before the user could express agreement;
- the arrangements for obtaining consent by the user;
- visibility, quality and simplicity of information about cookies;
- the ability for the user to withdraw consent at any time;
- the lifetime of cookies and validity of consent (which shall not exceed 13 months).
The loi Informatique et Libertés
The requirement can be reduced to this main statement:
It’s necessary to inform users of the presence, purpose, the shelf life of the cookies placed in their browsers, and the means at their disposal to oppose it.
It’s a general requirement for anyone that publishes on the web, via a site or application.
What are the CNIL’s recommendations?
The CNIL therefore adopted a recommendation which proposes to set up a 2-step procedure mandatory since February 2014.
First Step for cookie compliance in France
The visited site must have a banner informing the user that further navigation of the site constitutes an agreement for the installation and reading of cookies. This banner must specify the purpose of the cookies used and about the possibility to object (via a link to a dedicated page of the site). This banner does not disappear until the user has not continued elsewhere (another page or item on the site).
Second Step for cookie compliance in France
The user needs to be informed of the possibilities to accept or refuse all or some of the cookies in a simple and readable way.
To make these recommendations more accessible the CNIL has set up a page with code examples and frequently asked questions that are helpful in understanding the scope of the requirements:
The consent for the cookie’s setting cannot exceed 13 months.
Which are the cookies that are exempt from the consent rule?
As is the case in other European countries, France has exempted certain cookies from the cookie consent rule. Those are the cookies strictly necessary to offer the service sought after by the user. Examples for such cookies are:
- the shopping cart cookie;
- session cookies or persistant cookies for a couple of hours of duration in certain circumstances;
- authentication cookies;
- session cookies created by a multimedia reader;
- load balancer cookies;
- certain first party analytics (PIWIK);
- persistant cookies for inteface personalization.