The CNIL issued its recommendations on cookies and trackers on October 1st, detailing best practices for valid consent collection within GDPR framework. All actors collecting user data on their site are concerned and will have to comply in the coming months. It is important to understand the deadlines established by the CNIL and to prepare a schedule for compliance. This article summarises the CNIL recommendations, and advises you on the steps to become compliant.
CNIL recommendations: the main points to remember
As a reminder, here is a summary of the main points to remember:
Refusing the dropping of cookies should be as easy as accepting them.
Visitors must be clearly informed of the purpose of trackers before consent is given, and of the identity of all actors using trackers subject to consent.
Continuing to navigate on a site can no longer be considered as a valid expression of consent.
Users shall be able to withdraw their consent easily and at any time.
The site editor must be able to provide proof of consent at any time.
Obviously, this is not an exhaustive list of the recommendations issued by the CNIL. We invite you to consult our extensive page on the subject Recommandations CNIL : Tout savoir sur le consentement cookies et traceurs (in French), or our article My take on the CNIL's new guidelines on Cookies: 4 key ideas to remember (in English) for more information.
Or, get in contact with us if there are any questions you need answering.
The CNIL timeline: a two-step compliance process
As of the date of publication of the CNIL recommendations (October 1, 2020)
Basically, you have 6 months from the date of publication to be in full compliance, i.e. until the end of March 2021. Indeed, the CNIL takes into account the operational intricacies of this, and therefore favours assistance to enforcement during this transition period.
Please note that this six-month period only concerns "new measures". The CNIL considers that companies should already be in compliance with rules that were already in effect. In other words, the actions of the CNIL will be limited these next months to checking that its 2013 recommendations are well applied, otherwise it will be able to take measures or sanctions.
At the end of the 6-month transition period
At the end of the 6-month adjustment period, the CNIL will begin monitoring the application of the new framework. The inspections will focus in particular on websites/apps that have a particularly significant impact on the daily lives of citizens/associations and whose practices raise serious compliance issues. Sanctions that can represent several million euros for non-compliance with the GDPR have already been issued in the past, notably against Google.
Now that you know the schedule of the CNIL and the consequences incurred in the event of non-compliance, here is our advice concerning the steps to follow for a consent collection in accordance with the recommendations of the CNIL.
The steps to follow to comply with the recommendations of the CNIL
Identify and categorise the processing of personal data
It will first be necessary to identify and categorise the various personal data processing operations used by your company as well as the third parties having access to this data. Didomi has a compliance audit tool that will give you an overview of the partners present on your sites, the cookies they deposit there and the lifetime of its cookies to start.
Prioritise the actions to be taken for compliant data collection
The second step is to prioritise actions by ensuring that you collect only the data necessary for your business, contact your partners to harmonise your practices or determine the legal basis of your data processing.
Implement a CMP in line with the recommendations of the CNIL.
The CNIL does not make specific recommendations regarding the choice of consent collection mechanism, however the application of its recommendations requires the use of a solution for collecting consent and managing user preferences. You will therefore have to determine for yourself which consent management platform (CMP) is best suited to your needs, knowing that it can be either "in-house", or commercial like the Didomi CMP.
In order to ensure that you have the right tool to be in compliance, you will need to evaluate your current consent collection mechanism and, if necessary, either update it or implement a suitable solution.
Regarding the latter, commercial CMPs offer the advantage of being legally up-to-date, offering useful features such as A/B testing to improve your consent rates, or customizing the user interface to suit your brand.
If a commercial CMP is indeed the solution for you, make an appointment with our team for a free audit.
Customise your CMP to fit your needs whilst still remaining compliant
Once your consent mechanism is in place, you will need to proceed to the banner settings from your CMP console. Beyond the compliance aspects, it will be necessary to determine in general terms the customer experience you want to give to your users (pop-in format, low banner...) because this will affect the rate of consent, and the trust your visitors will give to your company.
How Didomi can help you
Let's not forget that the recommendations of the CNIL are not mandatory, but that their objective is to shed light on good practices in order to comply with GDPR requirements.
It is entirely possible to implement different good practices as long as they comply with regulations. This being said, the CNIL provides along with its recommendations a guide that allows the different actors to determine what is acceptable in terms of consent collection and management of user preferences, and thus minimise errors of interpretation of the GDPR.
Don't wait until the last minute to comply. The rules are already established and applicable as of now. Beyond the simple implementation of recommendations, your reputation and the relationship of trust you create with your website/app users are at stake.
Didomi is constantly monitoring legal developments, adapting its platform to the standards in effect to allow our clients to remain in compliance. Do not hesitate to consult us if you have any questions or to launch your compliance process.