Configure a CMP to comply with the GDPR and latest recommendations of the CNIL (French data protection authority) and the G29.
- What are the guidelines and new recommendations of the CNIL on cookies and trackers?
- What about the standards of IAB Europe?
- What are the Consent Collection Principles to be respected?
- What about the issue of geolocation data processing?
- Is scrolling down the page a valid way of giving consent?
- Can analytical cookies be considered essential?
- Summarizing the points to be aware of in CMP configuration
It is worth mentioning that, according to article 4 of the GDPR, consent can be defined as "any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". User consent is one of the six possible legal bases for collecting user consent when data processing is carried out.
A CMP (Consent Management Platform) is a platform for collecting user consent regarding personal data. A CMP also records, stores and retrieves consent, transmitting it to different partners when appropriate. It makes user experience more fluid and the process of consent collection easier.
However, as Armand Heslot (Privacy and Security Expert at the CNIL) reminded us during an interview for Mind Media, having a CMP does not mean that you are in compliance with the GDPR, nor that you obtain user consent in a valid manner.
So, what are the different requirements to ensure you collect user consent in a compliant way using a CMP?
What are the guidelines and new recommendations of the CNIL on cookies and trackers?
Consent must be freely given, specific, informed and unambiguous. The CNIL ensures that these conditions are respected. Indeed, as early as July 2018, just a few months after the implementation of GDPR, the data protection authority called on Teemo and Fidzup to comply with these regulations. These companies allow the collection of data such as ad ID and geolocation data through an SDK implemented in their partner’s software.
However, the CNIL notes that these two French companies do not properly collect users’ consent for the collection of data for targeted advertising purposes. Users are not informed of the purpose of the targeted advertising process, nor of the identity of the data processor, or even that such processing is being carried out for Fidzup.
On October 23, 2019, the CNIL issued a formal notice to a third company for the same reasons. It stated that Singlespot was not collecting users’ consent for the processing of geolocation and targeted advertising data, always carried out through an SDK installed in mobile apps. Their CMP did not allow for “a clear refusal of targeting”. In addition, in these decisions, the CNIL states that a partner depositing an SDK on the publisher’s mobile application is considered as a data processer with regard to the GDPR.
To avoid sanctioning, the start-ups therefore complied and installed banners to obtain consent that met the criteria set out by the GDPR. According to the CNIL, the user must know the purpose of collecting data, the identity of those with access to the data, but also what data is collected. Here we already have three vital pieces of information that must always be included in a CMP.
But it is with the formal notice issued by the CNIL on the company Vectuary on November 9th 2018 that the CNIL gives more precise recommendations on the configuration of a CMP. The data protection authority is still pointing the finger at the lack of consent collection for geolocation data for advertising purposes through SDKs installed in the code of mobile apps. It also notes that Vectuary used data collected during real-time advertising bids without valid consent. The start-up has collected “more than 42 million advertising identifiers and geolocation data from more than 32,000 apps”. In addition, the CNIL reminds us that the partners depositing an SDK on the mobile app are the ones responsible for processing.
What about the standards of IAB Europe?
Vectuary was actually part of the Consent and Transparency Framework established by IAB Europe which proposes a set of rules to be followed when collecting user consent through a CMP in order to standardise advertising consent. But, as Mathias Moulin, Director of Rights Protection and Sanctions at the CNIL, stated in an interview for the Journal du Net, the CNIL has not commented on the IAB framework but on the implementation of the framework that Vectuary adopted; the formal notice given to Vectuary was not a judgement on the IAB framework. Indeed, in this formal notice, the CNIL provides important clarifications on how to configure a CMP that is fully compliant with the GDPR and G29 recommendations, without invalidating the work carried out by IAB Europe.
What are the Consent Collection Principles to be respected?
As a starting point, the data protection authority states that the language used should be clear, understandable and written in simple terms, allowing the users to understand precisely what it is they are consenting to. The purposes of data collection must be clear and communicated on the first page of the banner. “I accept”, “I refuse” and “Manage my preferences” buttons to allow the user to consent or refuse can be proposed on the first page, but they must be positioned after the list of the different purposes detailed.
On the second page you can ask for consent for a specific purpose but be careful, pre-ticked boxes are not allowed by the CNIL nor by the G29. The French data protection authority is very clear on this issue in the formal notice they gave to Vectuary.
In addition, the identity of those handling the data must appear on the first page of the banner. This allows the user to give his or her consent whilst being fully aware of the companies with access to his or her data.
Moreover, the text must not lead the user to believe that a refusal to give consent will prevent access to the site, or result in the payment of a price in order to have access.
What about the issue of geolocation data processing?
When collecting geolocation data, specific consent must be sought from the user. The CNIL reminds us of this in its formal notice, stating that a blanket acceptance, without the user being clearly informed of the existence of several processing operations or purposes, cannot meet the specificity criterion of consent required by the G29. Users of partner mobile applications therefore do not specifically consent to the processing of their geolocation data for profiling and targeted advertising purposes.
Is scrolling down the page a valid way of giving consent?
Recently, scroll consent is no longer allowed in the CNIL regulation. Publishers have 6 months to comply after the official publication of this recommendation, i.e. until December 2020.
Moreover, it is useful to remember that the duration of user consent for cookies is currently 13 months in France, but in the draft CNIL recommendation this will be changed to 6 months. Didomi will therefore automatically re-ask the user to make their choice after this period. The lifetime of a Google Analytics is sometimes set by default to 24 months. To reduce the lifetime of these cookies, here is the documentation.
Can analytical cookies be considered essential?
Finally, be careful, audience measurement cookies such as Google Analytics are not considered essential cookies unless they meet a number of conditions listed by the CNIL. Today, only two solutions are recognized by the CNIL as respecting the different conditions. They are AT internet (Xiti) and Matomo. You must therefore ask for the user’s consent when you wish to place such a cookie on their device.
⚠ Updated October 2020 : Didomi recently published an article on the new recommendations of the CNIL. Discover our page dedicated to the subject (in French) here. Or, contact us to organise a free demo and ensure compliance.
Summarizing the points to be aware of in CMP configuration:
- The user must know the purpose of the data processing, the identity of the companies with access to the data, but also the data collected in order for the consent to be valid.
- The language used to inform the user must be clear, understandable, written in simple terms and must allow users to understand precisely what it is they are consenting to.
- “Accept”, “Refuse” and “Manage preferences” buttons to allow the user to consent or refuse can appear on the first page, but they must be positioned after the list of different purposes (and not before).
- Pre-ticked boxes are not tolerated by the CNIL or the G29.
- The text must not lead the user to believe that refusal to give consent will prevent them from accessing the site or resulting in the payment of a price. However, cookie walls are more accepted.
- When geolocation data is collected, specific consent must be sought from the user.
- Consent by scrolling will no longer by tolerated by the CNIL (but is still tolerated for a few more months currently)
- Do not forget to give the user the possibility to retract their consent or change their configuration by clicking on a link on your site.
- The duration of the user’s cookie consent is soon to be 6 months. It is therefore necessary to automatically re-ask them to make their choices after this period.
- Audience measurement cookies are not considered essential cookies unless they comply with a certain number of conditions listed by the CNIL.
Want to find out how a CMP could allow your business to ensure compliance whilst also continuing to optimise monetization? Organise a free demo with Didomi.