For several months now, the consultation of any website has involved a more or less complex and time-consuming procedure for the user to validate and authorize cookies, trackers, and other partner acceptances.
The main purpose of the e-Privacy Directive, which has just come into force, is to collect – and prove – the consent of the end user before any operation of writing or reading cookies and other trackers.
In France, the system is supervised by the CNIL. It describes the rules of application in its guidelines of September 17, 2020 and assists companies in their compliance.
As providers of internet communication solutions, we are questioned by our customers on the compliance with the « GDPR » of the solutions we provide them.
The collection of consent must be facilitated by clear and easy-to-understand information for all users on the purposes of the tracers and cookies.
Thus, the consent must be :
- prior to the deposit and/or reading of cookies
- specific to each purpose
- free: its refusal must not harm the user
- univocal: it must be clearly expressed by the user, in full knowledge of the consequences of his decision
- reversible: it must be possible to withdraw it easily at any time
For the user’s convenience, it is possible to propose two levels of consent: a general one, and one detailing each of the purposes.
What is a cookie / tracker?
It is a small file deposited by a server on a user’s terminal (whatever it may be) when consulting a website, a mobile application, or even when loading or using a software or an API. Associated with the web domain of the site, it records the user’s browsing behavior and can thus be read when the site is visited again.
It can also be transferred to other domains (third-party cookies), although this practice is likely to disappear.
Cookies can be used to memorize a customer identifier or the contents of a shopping cart, to memorize linguistic preferences, to trace navigation for statistical or advertising purposes, etc.
Here is the list of cookies and trackers subject to and exempt from consent as defined by the CNIL:
Cookies and trackers subject to consent:
- cookies related to targeted advertising
- cookies from social networks, in particular those generated by their sharing buttons
Cookies and trackers exempt from consent:
- Tracers that retain the choice expressed by users on the deposit of tracers
- authentication and security tracers for the authentication mechanism
- Tracers for personalizing the user interface (if intrinsic and expected from the service)
- tracers allowing the load balancing of the equipment linked to the service
Some audience measurement tracers are exempt from consent under the following conditions
- to have a purpose strictly limited to the sole measurement of the audience of the site or the application for the exclusive account of the editor
- serve to produce anonymous statistical data only
- to keep track of the contents of a shopping cart on a commercial site or to invoice the user for the product(s) and/or service(s) purchased
- tracers allowing paying sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period of time)
The lifetime of the trackers and the retention of data must be limited (maximum 25 months) and the data collected must not be reused.
The processing of personal data associated with these trackers remains subject to the GDPR.
To summarize, here are the steps to comply with the e-Privacy Directive:
- definition of the trackers that are essential to the operation of the solution in its environment. Even if they are not subject to consent, they may be subject to user information
- definition of cookies and trackers subject to consent, in particular those linked to sharing functionalities on social networks
- elaboration of the information content for users and the consent form, to be elaborated according to the methods defined by the CNIL
- in case of audience measurement exempted from consent, possibility (not an obligation) to have it validated by the CNIL before June 30, 2021.
- filing of proof of consent
What about video delivery interfaces and the videos themselves?
It is the responsibility of site or application designers to implement a consent form and to record proof of this form. When consent is refused, they must ensure that the site operates without cookies or trackers;
YouTube or Dailymotion videos deposit cookies and trackers subject to consent. If these videos are visible to an Internet user who has not given his/her consent, then the site is in violation of the GDPR. The site should hide the videos or use a specific integration code that disables cookies.
For example, the website of the French public radio network (France Inter) forces to accept advertising cookies to see the YouTube videos it integrates… This is one downside of not wanting to pay a professional video service (that could possibly have been French and carbon neutral):
Streamlike videos do not embed any cookies or trackers that require consent. They are therefore fully compatible with the strengthened rules of the RGPD… and they are carbon neutral!